From: "Michael S. Tsirkin" <mst@redhat.com> To: Anirudh Rayabharam <mail@anirudhrb.com> Cc: Jason Wang <jasowang@redhat.com>, syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com, kvm@vger.kernel.org, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] vhost: validate range size before adding to iotlb Date: Tue, 22 Feb 2022 09:04:46 -0500 [thread overview] Message-ID: <20220222090406-mutt-send-email-mst@kernel.org> (raw) In-Reply-To: <20220221195303.13560-1-mail@anirudhrb.com> On Tue, Feb 22, 2022 at 01:23:03AM +0530, Anirudh Rayabharam wrote: > In vhost_iotlb_add_range_ctx(), validate the range size is non-zero > before proceeding with adding it to the iotlb. > > Range size can overflow to 0 when start is 0 and last is (2^64 - 1). > One instance where it can happen is when userspace sends an IOTLB > message with iova=size=uaddr=0 (vhost_process_iotlb_msg). So, an > entry with size = 0, start = 0, last = (2^64 - 1) ends up in the > iotlb. Next time a packet is sent, iotlb_access_ok() loops > indefinitely due to that erroneous entry: > > Call Trace: > <TASK> > iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 > vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 > vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 > vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 > kthread+0x2e9/0x3a0 kernel/kthread.c:377 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > </TASK> > > Reported by syzbot at: > https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 > > Reported-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com > Tested-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com > Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com> > --- > drivers/vhost/iotlb.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/vhost/iotlb.c b/drivers/vhost/iotlb.c > index 670d56c879e5..b9de74bd2f9c 100644 > --- a/drivers/vhost/iotlb.c > +++ b/drivers/vhost/iotlb.c > @@ -53,8 +53,10 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, > void *opaque) > { > struct vhost_iotlb_map *map; > + u64 size = last - start + 1; > > - if (last < start) > + // size can overflow to 0 when start is 0 and last is (2^64 - 1). Pls use the old-style /* */ comments. > + if (last < start || size == 0) > return -EFAULT; > > if (iotlb->limit && > @@ -69,7 +71,7 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, > return -ENOMEM; > > map->start = start; > - map->size = last - start + 1; > + map->size = size; > map->last = last; > map->addr = addr; > map->perm = perm; > -- > 2.35.1
WARNING: multiple messages have this Message-ID (diff)
From: "Michael S. Tsirkin" <mst@redhat.com> To: Anirudh Rayabharam <mail@anirudhrb.com> Cc: kvm@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org, syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com Subject: Re: [PATCH] vhost: validate range size before adding to iotlb Date: Tue, 22 Feb 2022 09:04:46 -0500 [thread overview] Message-ID: <20220222090406-mutt-send-email-mst@kernel.org> (raw) In-Reply-To: <20220221195303.13560-1-mail@anirudhrb.com> On Tue, Feb 22, 2022 at 01:23:03AM +0530, Anirudh Rayabharam wrote: > In vhost_iotlb_add_range_ctx(), validate the range size is non-zero > before proceeding with adding it to the iotlb. > > Range size can overflow to 0 when start is 0 and last is (2^64 - 1). > One instance where it can happen is when userspace sends an IOTLB > message with iova=size=uaddr=0 (vhost_process_iotlb_msg). So, an > entry with size = 0, start = 0, last = (2^64 - 1) ends up in the > iotlb. Next time a packet is sent, iotlb_access_ok() loops > indefinitely due to that erroneous entry: > > Call Trace: > <TASK> > iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 > vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 > vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 > vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 > kthread+0x2e9/0x3a0 kernel/kthread.c:377 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > </TASK> > > Reported by syzbot at: > https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 > > Reported-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com > Tested-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com > Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com> > --- > drivers/vhost/iotlb.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/vhost/iotlb.c b/drivers/vhost/iotlb.c > index 670d56c879e5..b9de74bd2f9c 100644 > --- a/drivers/vhost/iotlb.c > +++ b/drivers/vhost/iotlb.c > @@ -53,8 +53,10 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, > void *opaque) > { > struct vhost_iotlb_map *map; > + u64 size = last - start + 1; > > - if (last < start) > + // size can overflow to 0 when start is 0 and last is (2^64 - 1). Pls use the old-style /* */ comments. > + if (last < start || size == 0) > return -EFAULT; > > if (iotlb->limit && > @@ -69,7 +71,7 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, > return -ENOMEM; > > map->start = start; > - map->size = last - start + 1; > + map->size = size; > map->last = last; > map->addr = addr; > map->perm = perm; > -- > 2.35.1 _______________________________________________ Virtualization mailing list Virtualization@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2022-02-22 14:05 UTC|newest] Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-02-21 19:53 [PATCH] vhost: validate range size before adding to iotlb Anirudh Rayabharam 2022-02-22 2:50 ` Jason Wang 2022-02-22 2:50 ` Jason Wang 2022-02-22 4:57 ` Anirudh Rayabharam 2022-02-22 7:11 ` Jason Wang 2022-02-22 7:11 ` Jason Wang 2022-02-22 15:02 ` Michael S. Tsirkin 2022-02-22 15:02 ` Michael S. Tsirkin 2022-02-22 17:27 ` Anirudh Rayabharam 2022-02-22 23:21 ` Michael S. Tsirkin 2022-02-22 23:21 ` Michael S. Tsirkin 2022-02-23 14:18 ` Anirudh Rayabharam 2022-02-23 15:15 ` Michael S. Tsirkin 2022-02-23 15:15 ` Michael S. Tsirkin 2022-02-23 16:49 ` Anirudh Rayabharam 2022-02-23 17:14 ` Michael S. Tsirkin 2022-02-23 17:14 ` Michael S. Tsirkin 2022-02-23 2:05 ` Jason Wang 2022-02-23 2:05 ` Jason Wang 2022-02-22 14:04 ` Michael S. Tsirkin [this message] 2022-02-22 14:04 ` Michael S. Tsirkin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220222090406-mutt-send-email-mst@kernel.org \ --to=mst@redhat.com \ --cc=jasowang@redhat.com \ --cc=kvm@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=mail@anirudhrb.com \ --cc=netdev@vger.kernel.org \ --cc=syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com \ --cc=virtualization@lists.linux-foundation.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.