From: Yongji Xie <xieyongji@bytedance.com> To: Dan Carpenter <dan.carpenter@oracle.com> Cc: "Michael S. Tsirkin" <mst@redhat.com>, "Jason Wang" <jasowang@redhat.com>, "Stefan Hajnoczi" <stefanha@redhat.com>, "Stefano Garzarella" <sgarzare@redhat.com>, "Parav Pandit" <parav@nvidia.com>, "Christoph Hellwig" <hch@infradead.org>, "Christian Brauner" <christian.brauner@canonical.com>, "Randy Dunlap" <rdunlap@infradead.org>, "Matthew Wilcox" <willy@infradead.org>, viro@zeniv.linux.org.uk, "Jens Axboe" <axboe@kernel.dk>, bcrl@kvack.org, "Jonathan Corbet" <corbet@lwn.net>, "Mika Penttilä" <mika.penttila@nextfour.com>, joro@8bytes.org, virtualization <virtualization@lists.linux-foundation.org>, netdev@vger.kernel.org, kvm <kvm@vger.kernel.org>, linux-fsdevel@vger.kernel.org, iommu@lists.linux-foundation.org, linux-kernel <linux-kernel@vger.kernel.org> Subject: Re: Re: [PATCH v7 04/12] virtio-blk: Add validation for block size in config space Date: Thu, 20 May 2021 13:25:16 +0800 [thread overview] Message-ID: <CACycT3veubBFCg9omxLDJJFP7B7QH8++Q+tKmb_M_hmNS45cmw@mail.gmail.com> (raw) In-Reply-To: <20210519144206.GF32682@kadam> On Wed, May 19, 2021 at 10:42 PM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > On Wed, May 19, 2021 at 09:39:20PM +0800, Yongji Xie wrote: > > On Mon, May 17, 2021 at 5:56 PM Xie Yongji <xieyongji@bytedance.com> wrote: > > > > > > This ensures that we will not use an invalid block size > > > in config space (might come from an untrusted device). > > I looked at if I should add this as an untrusted function so that Smatch > could find these sorts of bugs but this is reading data from the host so > there has to be some level of trust... > It would be great if Smatch could detect this case if possible. The data might be trusted in traditional VM cases. But now the data can be read from a userspace daemon when VDUSE is enabled. > I should add some more untrusted data kvm functions to Smatch. Right > now I only have kvm_register_read() and I've added kvm_read_guest_virt() > just now. > > > > > > > Signed-off-by: Xie Yongji <xieyongji@bytedance.com> > > > --- > > > drivers/block/virtio_blk.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c > > > index ebb4d3fe803f..c848aa36d49b 100644 > > > --- a/drivers/block/virtio_blk.c > > > +++ b/drivers/block/virtio_blk.c > > > @@ -826,7 +826,7 @@ static int virtblk_probe(struct virtio_device *vdev) > > > err = virtio_cread_feature(vdev, VIRTIO_BLK_F_BLK_SIZE, > > > struct virtio_blk_config, blk_size, > > > &blk_size); > > > - if (!err) > > > + if (!err && blk_size > 0 && blk_size <= max_size) > > > > The check here is incorrect. I will use PAGE_SIZE as the maximum > > boundary in the new version. > > What does this bug look like to the user? The kernel will panic if the block size is larger than PAGE_SIZE. > A minimum block size of 1 seems pretty crazy. Surely the minimum should be > higher? > Yes, 512 is better here. Thanks, Yongji
WARNING: multiple messages have this Message-ID (diff)
From: Yongji Xie <xieyongji@bytedance.com> To: Dan Carpenter <dan.carpenter@oracle.com> Cc: "Jens Axboe" <axboe@kernel.dk>, "Jonathan Corbet" <corbet@lwn.net>, linux-kernel <linux-kernel@vger.kernel.org>, kvm <kvm@vger.kernel.org>, "Michael S. Tsirkin" <mst@redhat.com>, netdev@vger.kernel.org, "Jason Wang" <jasowang@redhat.com>, "Randy Dunlap" <rdunlap@infradead.org>, iommu@lists.linux-foundation.org, "Matthew Wilcox" <willy@infradead.org>, virtualization <virtualization@lists.linux-foundation.org>, "Christoph Hellwig" <hch@infradead.org>, "Christian Brauner" <christian.brauner@canonical.com>, bcrl@kvack.org, "Parav Pandit" <parav@nvidia.com>, viro@zeniv.linux.org.uk, "Stefan Hajnoczi" <stefanha@redhat.com>, linux-fsdevel@vger.kernel.org, "Mika Penttilä" <mika.penttila@nextfour.com>, "Stefano Garzarella" <sgarzare@redhat.com> Subject: Re: Re: [PATCH v7 04/12] virtio-blk: Add validation for block size in config space Date: Thu, 20 May 2021 13:25:16 +0800 [thread overview] Message-ID: <CACycT3veubBFCg9omxLDJJFP7B7QH8++Q+tKmb_M_hmNS45cmw@mail.gmail.com> (raw) In-Reply-To: <20210519144206.GF32682@kadam> On Wed, May 19, 2021 at 10:42 PM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > On Wed, May 19, 2021 at 09:39:20PM +0800, Yongji Xie wrote: > > On Mon, May 17, 2021 at 5:56 PM Xie Yongji <xieyongji@bytedance.com> wrote: > > > > > > This ensures that we will not use an invalid block size > > > in config space (might come from an untrusted device). > > I looked at if I should add this as an untrusted function so that Smatch > could find these sorts of bugs but this is reading data from the host so > there has to be some level of trust... > It would be great if Smatch could detect this case if possible. The data might be trusted in traditional VM cases. But now the data can be read from a userspace daemon when VDUSE is enabled. > I should add some more untrusted data kvm functions to Smatch. Right > now I only have kvm_register_read() and I've added kvm_read_guest_virt() > just now. > > > > > > > Signed-off-by: Xie Yongji <xieyongji@bytedance.com> > > > --- > > > drivers/block/virtio_blk.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c > > > index ebb4d3fe803f..c848aa36d49b 100644 > > > --- a/drivers/block/virtio_blk.c > > > +++ b/drivers/block/virtio_blk.c > > > @@ -826,7 +826,7 @@ static int virtblk_probe(struct virtio_device *vdev) > > > err = virtio_cread_feature(vdev, VIRTIO_BLK_F_BLK_SIZE, > > > struct virtio_blk_config, blk_size, > > > &blk_size); > > > - if (!err) > > > + if (!err && blk_size > 0 && blk_size <= max_size) > > > > The check here is incorrect. I will use PAGE_SIZE as the maximum > > boundary in the new version. > > What does this bug look like to the user? The kernel will panic if the block size is larger than PAGE_SIZE. > A minimum block size of 1 seems pretty crazy. Surely the minimum should be > higher? > Yes, 512 is better here. Thanks, Yongji _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2021-05-20 5:25 UTC|newest] Thread overview: 123+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-05-17 9:55 [PATCH v7 00/12] Introduce VDUSE - vDPA Device in Userspace Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-17 9:55 ` [PATCH v7 01/12] iova: Export alloc_iova_fast() Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-26 2:36 ` Jason Wang 2021-05-26 2:36 ` Jason Wang 2021-05-26 2:36 ` Jason Wang 2021-05-26 2:43 ` Yongji Xie 2021-05-26 2:43 ` Yongji Xie 2021-05-17 9:55 ` [PATCH v7 02/12] file: Export receive_fd() to modules Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-20 6:18 ` Al Viro 2021-05-20 6:18 ` Al Viro 2021-05-20 6:18 ` Al Viro 2021-05-20 6:32 ` Yongji Xie 2021-05-20 6:32 ` Yongji Xie 2021-05-17 9:55 ` [PATCH v7 03/12] eventfd: Increase the recursion depth of eventfd_signal() Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-17 9:55 ` [PATCH v7 04/12] virtio-blk: Add validation for block size in config space Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-19 13:39 ` Yongji Xie 2021-05-19 13:39 ` Yongji Xie 2021-05-19 14:42 ` Dan Carpenter 2021-05-19 14:42 ` Dan Carpenter 2021-05-19 14:42 ` Dan Carpenter 2021-05-20 5:25 ` Yongji Xie [this message] 2021-05-20 5:25 ` Yongji Xie 2021-05-20 5:43 ` Michael S. Tsirkin 2021-05-20 5:43 ` Michael S. Tsirkin 2021-05-20 5:43 ` Michael S. Tsirkin 2021-05-20 7:08 ` Yongji Xie 2021-05-20 7:08 ` Yongji Xie 2021-05-17 9:55 ` [PATCH v7 05/12] virtio_scsi: Add validation for residual bytes from response Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-26 2:41 ` Jason Wang 2021-05-26 2:41 ` Jason Wang 2021-05-26 2:41 ` Jason Wang 2021-05-17 9:55 ` [PATCH v7 06/12] vhost-iotlb: Add an opaque pointer for vhost IOTLB Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-17 9:55 ` [PATCH v7 07/12] vdpa: Add an opaque pointer for vdpa_config_ops.dma_map() Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-17 9:55 ` [PATCH v7 08/12] vdpa: factor out vhost_vdpa_pa_map() and vhost_vdpa_pa_unmap() Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-17 9:55 ` [PATCH v7 09/12] vdpa: Support transferring virtual addressing during DMA mapping Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-17 9:55 ` [PATCH v7 10/12] vduse: Implement an MMU-based IOMMU driver Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-17 9:55 ` [PATCH v7 11/12] vduse: Introduce VDUSE - vDPA Device in Userspace Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-20 6:28 ` Al Viro 2021-05-20 6:28 ` Al Viro 2021-05-20 6:28 ` Al Viro 2021-05-20 7:03 ` Yongji Xie 2021-05-20 7:03 ` Yongji Xie 2021-05-27 4:12 ` Jason Wang 2021-05-27 4:12 ` Jason Wang 2021-05-27 4:12 ` Jason Wang 2021-05-27 4:57 ` Yongji Xie 2021-05-27 4:57 ` Yongji Xie 2021-05-27 5:00 ` Jason Wang 2021-05-27 5:00 ` Jason Wang 2021-05-27 5:00 ` Jason Wang 2021-05-27 5:08 ` Yongji Xie 2021-05-27 5:08 ` Yongji Xie 2021-05-27 5:40 ` Jason Wang 2021-05-27 5:40 ` Jason Wang 2021-05-27 5:40 ` Jason Wang 2021-05-27 7:34 ` Yongji Xie 2021-05-27 7:34 ` Yongji Xie 2021-05-27 8:41 ` Jason Wang 2021-05-27 8:41 ` Jason Wang 2021-05-27 8:41 ` Jason Wang 2021-05-27 8:43 ` Jason Wang 2021-05-27 8:43 ` Jason Wang 2021-05-27 8:43 ` Jason Wang 2021-05-27 10:14 ` Yongji Xie 2021-05-27 10:14 ` Yongji Xie 2021-05-28 1:33 ` Jason Wang 2021-05-28 1:33 ` Jason Wang 2021-05-28 1:33 ` Jason Wang 2021-05-28 3:54 ` Yongji Xie 2021-05-28 3:54 ` Yongji Xie 2021-05-28 6:38 ` Jason Wang 2021-05-28 6:38 ` Jason Wang 2021-05-28 6:38 ` Jason Wang 2021-05-27 13:17 ` Yongji Xie 2021-05-27 13:17 ` Yongji Xie 2021-05-28 2:31 ` Jason Wang 2021-05-28 2:31 ` Jason Wang 2021-05-28 2:31 ` Jason Wang 2021-05-31 4:27 ` Yongji Xie 2021-05-31 4:27 ` Yongji Xie 2021-05-31 4:38 ` Jason Wang 2021-05-31 4:38 ` Jason Wang 2021-05-31 4:38 ` Jason Wang 2021-05-31 6:24 ` Yongji Xie 2021-05-31 6:24 ` Yongji Xie 2021-05-31 4:56 ` Greg KH 2021-05-31 4:56 ` Greg KH 2021-05-31 4:56 ` Greg KH 2021-05-31 6:19 ` Yongji Xie 2021-05-31 6:19 ` Yongji Xie 2021-05-31 6:32 ` Greg KH 2021-05-31 6:32 ` Greg KH 2021-05-31 6:32 ` Greg KH 2021-05-31 7:13 ` Yongji Xie 2021-05-31 7:13 ` Yongji Xie 2021-05-17 9:55 ` [PATCH v7 12/12] Documentation: Add documentation for VDUSE Xie Yongji 2021-05-17 9:55 ` Xie Yongji 2021-05-20 6:06 ` [PATCH v7 00/12] Introduce VDUSE - vDPA Device in Userspace Michael S. Tsirkin 2021-05-20 6:06 ` Michael S. Tsirkin 2021-05-20 6:06 ` Michael S. Tsirkin 2021-05-20 9:06 ` Yongji Xie 2021-05-20 9:06 ` Yongji Xie 2021-05-25 6:40 ` Jason Wang 2021-05-25 6:40 ` Jason Wang 2021-05-25 6:40 ` Jason Wang 2021-05-25 6:48 ` Michael S. Tsirkin 2021-05-25 6:48 ` Michael S. Tsirkin 2021-05-25 6:48 ` Michael S. Tsirkin 2021-05-25 7:11 ` Jason Wang 2021-05-25 7:11 ` Jason Wang 2021-05-25 7:11 ` Jason Wang
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CACycT3veubBFCg9omxLDJJFP7B7QH8++Q+tKmb_M_hmNS45cmw@mail.gmail.com \ --to=xieyongji@bytedance.com \ --cc=axboe@kernel.dk \ --cc=bcrl@kvack.org \ --cc=christian.brauner@canonical.com \ --cc=corbet@lwn.net \ --cc=dan.carpenter@oracle.com \ --cc=hch@infradead.org \ --cc=iommu@lists.linux-foundation.org \ --cc=jasowang@redhat.com \ --cc=joro@8bytes.org \ --cc=kvm@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mika.penttila@nextfour.com \ --cc=mst@redhat.com \ --cc=netdev@vger.kernel.org \ --cc=parav@nvidia.com \ --cc=rdunlap@infradead.org \ --cc=sgarzare@redhat.com \ --cc=stefanha@redhat.com \ --cc=viro@zeniv.linux.org.uk \ --cc=virtualization@lists.linux-foundation.org \ --cc=willy@infradead.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.