From: Stefano Garzarella <sgarzare@redhat.com>
To: "Andrea Parri (Microsoft)" <parri.andrea@gmail.com>
Cc: KY Srinivasan <kys@microsoft.com>,
Haiyang Zhang <haiyangz@microsoft.com>,
Stephen Hemminger <sthemmin@microsoft.com>,
Wei Liu <wei.liu@kernel.org>, Dexuan Cui <decui@microsoft.com>,
Michael Kelley <mikelley@microsoft.com>,
David Miller <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
linux-hyperv@vger.kernel.org,
virtualization@lists.linux-foundation.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/5] hv_sock: Check hv_pkt_iter_first_raw()'s return value
Date: Thu, 21 Apr 2022 15:50:57 +0200 [thread overview]
Message-ID: <20220421135057.57whrntjdv25jqpl@sgarzare-redhat> (raw)
In-Reply-To: <20220420200720.434717-2-parri.andrea@gmail.com>
On Wed, Apr 20, 2022 at 10:07:16PM +0200, Andrea Parri (Microsoft) wrote:
>The function returns NULL if the ring buffer doesn't contain enough
>readable bytes to constitute a packet descriptor. The ring buffer's
>write_index is in memory which is shared with the Hyper-V host, an
>erroneous or malicious host could thus change its value and overturn
>the result of hvs_stream_has_data().
>
>Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
>---
> net/vmw_vsock/hyperv_transport.c | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
>index e111e13b66604..943352530936e 100644
>--- a/net/vmw_vsock/hyperv_transport.c
>+++ b/net/vmw_vsock/hyperv_transport.c
>@@ -603,6 +603,8 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk, struct msghdr *msg,
>
> if (need_refill) {
> hvs->recv_desc = hv_pkt_iter_first_raw(hvs->chan);
>+ if (!hvs->recv_desc)
>+ return -ENOBUFS;
> ret = hvs_update_recv_data(hvs);
> if (ret)
> return ret;
>--
>2.25.1
>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
WARNING: multiple messages have this Message-ID (diff)
From: Stefano Garzarella <sgarzare@redhat.com>
To: "Andrea Parri (Microsoft)" <parri.andrea@gmail.com>
Cc: Wei Liu <wei.liu@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Stephen Hemminger <sthemmin@microsoft.com>,
netdev@vger.kernel.org, Haiyang Zhang <haiyangz@microsoft.com>,
Dexuan Cui <decui@microsoft.com>,
linux-hyperv@vger.kernel.org,
Michael Kelley <mikelley@microsoft.com>,
Jakub Kicinski <kuba@kernel.org>,
virtualization@lists.linux-foundation.org,
David Miller <davem@davemloft.net>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/5] hv_sock: Check hv_pkt_iter_first_raw()'s return value
Date: Thu, 21 Apr 2022 15:50:57 +0200 [thread overview]
Message-ID: <20220421135057.57whrntjdv25jqpl@sgarzare-redhat> (raw)
In-Reply-To: <20220420200720.434717-2-parri.andrea@gmail.com>
On Wed, Apr 20, 2022 at 10:07:16PM +0200, Andrea Parri (Microsoft) wrote:
>The function returns NULL if the ring buffer doesn't contain enough
>readable bytes to constitute a packet descriptor. The ring buffer's
>write_index is in memory which is shared with the Hyper-V host, an
>erroneous or malicious host could thus change its value and overturn
>the result of hvs_stream_has_data().
>
>Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
>---
> net/vmw_vsock/hyperv_transport.c | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
>index e111e13b66604..943352530936e 100644
>--- a/net/vmw_vsock/hyperv_transport.c
>+++ b/net/vmw_vsock/hyperv_transport.c
>@@ -603,6 +603,8 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk, struct msghdr *msg,
>
> if (need_refill) {
> hvs->recv_desc = hv_pkt_iter_first_raw(hvs->chan);
>+ if (!hvs->recv_desc)
>+ return -ENOBUFS;
> ret = hvs_update_recv_data(hvs);
> if (ret)
> return ret;
>--
>2.25.1
>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2022-04-21 13:51 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 20:07 [PATCH 0/5] hv_sock: Hardening changes Andrea Parri (Microsoft)
2022-04-20 20:07 ` [PATCH 1/5] hv_sock: Check hv_pkt_iter_first_raw()'s return value Andrea Parri (Microsoft)
2022-04-20 23:07 ` Michael Kelley (LINUX)
2022-04-20 23:07 ` Michael Kelley (LINUX) via Virtualization
2022-04-21 13:50 ` Stefano Garzarella [this message]
2022-04-21 13:50 ` Stefano Garzarella
2022-04-20 20:07 ` [PATCH 2/5] hv_sock: Copy packets sent by Hyper-V out of the ring buffer Andrea Parri (Microsoft)
2022-04-20 23:08 ` Michael Kelley (LINUX)
2022-04-20 23:08 ` Michael Kelley (LINUX) via Virtualization
2022-04-21 13:58 ` Stefano Garzarella
2022-04-21 13:58 ` Stefano Garzarella
2022-04-21 15:21 ` Andrea Parri
2022-04-20 20:07 ` [PATCH 3/5] hv_sock: Add validation for untrusted Hyper-V values Andrea Parri (Microsoft)
2022-04-20 23:09 ` Michael Kelley (LINUX)
2022-04-20 23:09 ` Michael Kelley (LINUX) via Virtualization
2022-04-21 14:08 ` Stefano Garzarella
2022-04-21 14:08 ` Stefano Garzarella
2022-04-21 15:30 ` Andrea Parri
2022-04-21 16:14 ` Stefano Garzarella
2022-04-21 16:14 ` Stefano Garzarella
2022-04-20 20:07 ` [PATCH 4/5] Drivers: hv: vmbus: Accept hv_sock offers in isolated guests Andrea Parri (Microsoft)
2022-04-20 23:10 ` Michael Kelley (LINUX)
2022-04-20 23:10 ` Michael Kelley (LINUX) via Virtualization
2022-04-20 20:07 ` [PATCH 5/5] Drivers: hv: vmbus: Refactor the ring-buffer iterator functions Andrea Parri (Microsoft)
2022-04-20 23:15 ` Michael Kelley (LINUX)
2022-04-20 23:15 ` Michael Kelley (LINUX) via Virtualization
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220421135057.57whrntjdv25jqpl@sgarzare-redhat \
--to=sgarzare@redhat.com \
--cc=davem@davemloft.net \
--cc=decui@microsoft.com \
--cc=haiyangz@microsoft.com \
--cc=kuba@kernel.org \
--cc=kys@microsoft.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mikelley@microsoft.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=parri.andrea@gmail.com \
--cc=sthemmin@microsoft.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=wei.liu@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.