From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.4 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38E63C433DF for ; Mon, 8 Jun 2020 07:18:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0F836204EF for ; Mon, 8 Jun 2020 07:18:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="iie3w0mF" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729015AbgFHHSA (ORCPT ); Mon, 8 Jun 2020 03:18:00 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:46449 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728753AbgFHHR6 (ORCPT ); Mon, 8 Jun 2020 03:17:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1591600676; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=S9uO0fQB9dm5+hXwHDQJqno1QWjlymRlrC3fBKOV4jw=; b=iie3w0mF6ThhoXqFG9z4rfoP+UIqehUYRWZ9aPHPOFkMmIN0HPioM9clPmWFCsIt6wmqb/ NEQ2FZox4BNDlIDsZDa2q4d95Rx3ktMBGGisfNSouL+awNxcUyvXIkyCumJ0KdtfGyPWNA Kl9NBm+RO4KBGDbY9xC/vj4q3AspQZU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-345-nZwG0sPhNUW3JFPWj9PLdQ-1; Mon, 08 Jun 2020 03:17:52 -0400 X-MC-Unique: nZwG0sPhNUW3JFPWj9PLdQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A2430107ACCA; Mon, 8 Jun 2020 07:17:51 +0000 (UTC) Received: from [10.36.113.136] (ovpn-113-136.ams2.redhat.com [10.36.113.136]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1DBB0619C3; Mon, 8 Jun 2020 07:17:45 +0000 (UTC) Subject: Re: [PATCH] virtio_mem: prevent overflow with subblock size To: "Michael S. Tsirkin" Cc: linux-kernel@vger.kernel.org, Jason Wang , Pankaj Gupta , virtualization@lists.linux-foundation.org, teawater References: <20200608061406.709211-1-mst@redhat.com> <0930c9d0-0708-c079-29bd-b80d4e3ce446@redhat.com> <20200608030423-mutt-send-email-mst@kernel.org> From: David Hildenbrand Autocrypt: addr=david@redhat.com; prefer-encrypt=mutual; keydata= mQINBFXLn5EBEAC+zYvAFJxCBY9Tr1xZgcESmxVNI/0ffzE/ZQOiHJl6mGkmA1R7/uUpiCjJ dBrn+lhhOYjjNefFQou6478faXE6o2AhmebqT4KiQoUQFV4R7y1KMEKoSyy8hQaK1umALTdL QZLQMzNE74ap+GDK0wnacPQFpcG1AE9RMq3aeErY5tujekBS32jfC/7AnH7I0v1v1TbbK3Gp XNeiN4QroO+5qaSr0ID2sz5jtBLRb15RMre27E1ImpaIv2Jw8NJgW0k/D1RyKCwaTsgRdwuK Kx/Y91XuSBdz0uOyU/S8kM1+ag0wvsGlpBVxRR/xw/E8M7TEwuCZQArqqTCmkG6HGcXFT0V9 PXFNNgV5jXMQRwU0O/ztJIQqsE5LsUomE//bLwzj9IVsaQpKDqW6TAPjcdBDPLHvriq7kGjt WhVhdl0qEYB8lkBEU7V2Yb+SYhmhpDrti9Fq1EsmhiHSkxJcGREoMK/63r9WLZYI3+4W2rAc UucZa4OT27U5ZISjNg3Ev0rxU5UH2/pT4wJCfxwocmqaRr6UYmrtZmND89X0KigoFD/XSeVv jwBRNjPAubK9/k5NoRrYqztM9W6sJqrH8+UWZ1Idd/DdmogJh0gNC0+N42Za9yBRURfIdKSb B3JfpUqcWwE7vUaYrHG1nw54pLUoPG6sAA7Mehl3nd4pZUALHwARAQABtCREYXZpZCBIaWxk ZW5icmFuZCA8ZGF2aWRAcmVkaGF0LmNvbT6JAlgEEwEIAEICGwMFCQlmAYAGCwkIBwMCBhUI AgkKCwQWAgMBAh4BAheAFiEEG9nKrXNcTDpGDfzKTd4Q9wD/g1oFAl3pImkCGQEACgkQTd4Q 9wD/g1o+VA//SFvIHUAvul05u6wKv/pIR6aICPdpF9EIgEU448g+7FfDgQwcEny1pbEzAmiw zAXIQ9H0NZh96lcq+yDLtONnXk/bEYWHHUA014A1wqcYNRY8RvY1+eVHb0uu0KYQoXkzvu+s Dncuguk470XPnscL27hs8PgOP6QjG4jt75K2LfZ0eAqTOUCZTJxA8A7E9+XTYuU0hs7QVrWJ jQdFxQbRMrYz7uP8KmTK9/Cnvqehgl4EzyRaZppshruKMeyheBgvgJd5On1wWq4ZUV5PFM4x II3QbD3EJfWbaJMR55jI9dMFa+vK7MFz3rhWOkEx/QR959lfdRSTXdxs8V3zDvChcmRVGN8U Vo93d1YNtWnA9w6oCW1dnDZ4kgQZZSBIjp6iHcA08apzh7DPi08jL7M9UQByeYGr8KuR4i6e RZI6xhlZerUScVzn35ONwOC91VdYiQgjemiVLq1WDDZ3B7DIzUZ4RQTOaIWdtXBWb8zWakt/ ztGhsx0e39Gvt3391O1PgcA7ilhvqrBPemJrlb9xSPPRbaNAW39P8ws/UJnzSJqnHMVxbRZC Am4add/SM+OCP0w3xYss1jy9T+XdZa0lhUvJfLy7tNcjVG/sxkBXOaSC24MFPuwnoC9WvCVQ ZBxouph3kqc4Dt5X1EeXVLeba+466P1fe1rC8MbcwDkoUo65Ag0EVcufkQEQAOfX3n0g0fZz Bgm/S2zF/kxQKCEKP8ID+Vz8sy2GpDvveBq4H2Y34XWsT1zLJdvqPI4af4ZSMxuerWjXbVWb T6d4odQIG0fKx4F8NccDqbgHeZRNajXeeJ3R7gAzvWvQNLz4piHrO/B4tf8svmRBL0ZB5P5A 2uhdwLU3NZuK22zpNn4is87BPWF8HhY0L5fafgDMOqnf4guJVJPYNPhUFzXUbPqOKOkL8ojk CXxkOFHAbjstSK5Ca3fKquY3rdX3DNo+EL7FvAiw1mUtS+5GeYE+RMnDCsVFm/C7kY8c2d0G NWkB9pJM5+mnIoFNxy7YBcldYATVeOHoY4LyaUWNnAvFYWp08dHWfZo9WCiJMuTfgtH9tc75 7QanMVdPt6fDK8UUXIBLQ2TWr/sQKE9xtFuEmoQGlE1l6bGaDnnMLcYu+Asp3kDT0w4zYGsx 5r6XQVRH4+5N6eHZiaeYtFOujp5n+pjBaQK7wUUjDilPQ5QMzIuCL4YjVoylWiBNknvQWBXS lQCWmavOT9sttGQXdPCC5ynI+1ymZC1ORZKANLnRAb0NH/UCzcsstw2TAkFnMEbo9Zu9w7Kv AxBQXWeXhJI9XQssfrf4Gusdqx8nPEpfOqCtbbwJMATbHyqLt7/oz/5deGuwxgb65pWIzufa N7eop7uh+6bezi+rugUI+w6DABEBAAGJAiUEGAECAA8FAlXLn5ECGwwFCQlmAYAACgkQTd4Q 9wD/g1qA6w/+M+ggFv+JdVsz5+ZIc6MSyGUozASX+bmIuPeIecc9UsFRatc91LuJCKMkD9Uv GOcWSeFpLrSGRQ1Z7EMzFVU//qVs6uzhsNk0RYMyS0B6oloW3FpyQ+zOVylFWQCzoyyf227y GW8HnXunJSC+4PtlL2AY4yZjAVAPLK2l6mhgClVXTQ/S7cBoTQKP+jvVJOoYkpnFxWE9pn4t H5QIFk7Ip8TKr5k3fXVWk4lnUi9MTF/5L/mWqdyIO1s7cjharQCstfWCzWrVeVctpVoDfJWp 4LwTuQ5yEM2KcPeElLg5fR7WB2zH97oI6/Ko2DlovmfQqXh9xWozQt0iGy5tWzh6I0JrlcxJ ileZWLccC4XKD1037Hy2FLAjzfoWgwBLA6ULu0exOOdIa58H4PsXtkFPrUF980EEibUp0zFz GotRVekFAceUaRvAj7dh76cToeZkfsjAvBVb4COXuhgX6N4pofgNkW2AtgYu1nUsPAo+NftU CxrhjHtLn4QEBpkbErnXQyMjHpIatlYGutVMS91XTQXYydCh5crMPs7hYVsvnmGHIaB9ZMfB njnuI31KBiLUks+paRkHQlFcgS2N3gkRBzH7xSZ+t7Re3jvXdXEzKBbQ+dC3lpJB0wPnyMcX FOTT3aZT7IgePkt5iC/BKBk3hqKteTnJFeVIT7EC+a6YUFg= Organization: Red Hat GmbH Message-ID: Date: Mon, 8 Jun 2020 09:17:45 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0 MIME-Version: 1.0 In-Reply-To: <20200608030423-mutt-send-email-mst@kernel.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08.06.20 09:08, Michael S. Tsirkin wrote: > On Mon, Jun 08, 2020 at 08:58:31AM +0200, David Hildenbrand wrote: >> On 08.06.20 08:14, Michael S. Tsirkin wrote: >>> If subblock size is large (e.g. 1G) 32 bit math involving it >>> can overflow. Rather than try to catch all instances of that, >>> let's tweak block size to 64 bit. >> >> I fail to see where we could actually trigger an overflow. The reported >> warning looked like a false positive to me. > > > So > > const uint64_t size = count * vm->subblock_size; > > is it unreasonable for count to be 4K with subblock_size being 1M? virtio_mem_mb_plug_sb() and friends are only called on subblocks residing within a single Linux memory block. (currently, 128MB .. 2G on x86-64). A subblock on x86-64 is currently at least 4MB. So "count * vm->subblock_size" can currently not exceed the Linux memory block size (in practice, it is max 128MB). > >>> >>> It ripples through UAPI which is an ABI change, but it's not too late to >>> make it, and it will allow supporting >4Gbyte blocks while might >>> become necessary down the road. >>> >> >> This might break cloud-hypervisor, who's already implementing this >> protocol upstream (ccing Hui). >> https://github.com/cloud-hypervisor/cloud-hypervisor/blob/master/vm-virtio/src/mem.rs >> >> (blocks in the gigabyte range were never the original intention of >> virtio-mem, but I am not completely opposed to that) > > > So in that case, can you code up validation in the probe function? If we would currently have a "block_size" > Linux memory block size, we bail out. virtio_mem_init(): if (vm->device_block_size > memory_block_size_bytes()) { dev_err(&vm->vdev->dev, "The block size is not supported (too big).\n"); return -EINVAL; } So what's reported can currently not happen. Having that said, changing "subblock_size" to be an uint64_t is a good cleanup, especially for the future. -- Thanks, David / dhildenb From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Hildenbrand Subject: Re: [PATCH] virtio_mem: prevent overflow with subblock size Date: Mon, 8 Jun 2020 09:17:45 +0200 Message-ID: References: <20200608061406.709211-1-mst@redhat.com> <0930c9d0-0708-c079-29bd-b80d4e3ce446@redhat.com> <20200608030423-mutt-send-email-mst@kernel.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20200608030423-mutt-send-email-mst@kernel.org> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: virtualization-bounces@lists.linux-foundation.org Sender: "Virtualization" To: "Michael S. Tsirkin" Cc: Pankaj Gupta , teawater , linux-kernel@vger.kernel.org, virtualization@lists.linux-foundation.org List-Id: virtualization@lists.linuxfoundation.org On 08.06.20 09:08, Michael S. Tsirkin wrote: > On Mon, Jun 08, 2020 at 08:58:31AM +0200, David Hildenbrand wrote: >> On 08.06.20 08:14, Michael S. Tsirkin wrote: >>> If subblock size is large (e.g. 1G) 32 bit math involving it >>> can overflow. Rather than try to catch all instances of that, >>> let's tweak block size to 64 bit. >> >> I fail to see where we could actually trigger an overflow. The reported >> warning looked like a false positive to me. > > > So > > const uint64_t size = count * vm->subblock_size; > > is it unreasonable for count to be 4K with subblock_size being 1M? virtio_mem_mb_plug_sb() and friends are only called on subblocks residing within a single Linux memory block. (currently, 128MB .. 2G on x86-64). A subblock on x86-64 is currently at least 4MB. So "count * vm->subblock_size" can currently not exceed the Linux memory block size (in practice, it is max 128MB). > >>> >>> It ripples through UAPI which is an ABI change, but it's not too late to >>> make it, and it will allow supporting >4Gbyte blocks while might >>> become necessary down the road. >>> >> >> This might break cloud-hypervisor, who's already implementing this >> protocol upstream (ccing Hui). >> https://github.com/cloud-hypervisor/cloud-hypervisor/blob/master/vm-virtio/src/mem.rs >> >> (blocks in the gigabyte range were never the original intention of >> virtio-mem, but I am not completely opposed to that) > > > So in that case, can you code up validation in the probe function? If we would currently have a "block_size" > Linux memory block size, we bail out. virtio_mem_init(): if (vm->device_block_size > memory_block_size_bytes()) { dev_err(&vm->vdev->dev, "The block size is not supported (too big).\n"); return -EINVAL; } So what's reported can currently not happen. Having that said, changing "subblock_size" to be an uint64_t is a good cleanup, especially for the future. -- Thanks, David / dhildenb