Linux-HyperV Archive on lore.kernel.org
 help / color / Atom feed
From: Wei Liu <wei.liu@kernel.org>
To: Michael Kelley <mikelley@microsoft.com>
Cc: Andres Beltran <lkmlabelt@gmail.com>,
	Wei Liu <wei.liu@kernel.org>,
	Andres Beltran <t-mabelt@microsoft.com>,
	KY Srinivasan <kys@microsoft.com>,
	Haiyang Zhang <haiyangz@microsoft.com>,
	Stephen Hemminger <sthemmin@microsoft.com>,
	"linux-hyperv@vger.kernel.org" <linux-hyperv@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Andrea Parri <parri.andrea@gmail.com>
Subject: Re: [PATCH v2 1/3] Drivers: hv: vmbus: Add vmbus_requestor data structure for VMBus hardening
Date: Mon, 29 Jun 2020 22:15:07 +0000
Message-ID: <20200629221507.2ubontmtpw36b4so@liuwe-devbox-debian-v2> (raw)
In-Reply-To: <MW2PR2101MB1052D0B7884A022D2DB6BED2D76E0@MW2PR2101MB1052.namprd21.prod.outlook.com>

On Mon, Jun 29, 2020 at 09:56:08PM +0000, Michael Kelley wrote:
> From: Andres Beltran <lkmlabelt@gmail.com> Sent: Monday, June 29, 2020 2:51 PM
> > 
> > On Mon, Jun 29, 2020 at 4:46 PM Wei Liu <wei.liu@kernel.org> wrote:
> > >
> > > On Mon, Jun 29, 2020 at 04:02:25PM -0400, Andres Beltran wrote:
> > > > Currently, VMbus drivers use pointers into guest memory as request IDs
> > > > for interactions with Hyper-V. To be more robust in the face of errors
> > > > or malicious behavior from a compromised Hyper-V, avoid exposing
> > > > guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a
> > > > bad request ID that is then treated as the address of a guest data
> > > > structure with no validation. Instead, encapsulate these memory
> > > > addresses and provide small integers as request IDs.
> > > >
> > > > Signed-off-by: Andres Beltran <lkmlabelt@gmail.com>
> > > > ---
> > > > Changes in v2:
> > > >       - Get rid of "rqstor" variable in __vmbus_open().
> > > >
> > > >  drivers/hv/channel.c   | 146 +++++++++++++++++++++++++++++++++++++++++
> > > >  include/linux/hyperv.h |  21 ++++++
> > > >  2 files changed, 167 insertions(+)
> > > >
> > > > diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
> > > > index 3ebda7707e46..c89d57d0c2d2 100644
> > > > --- a/drivers/hv/channel.c
> > > > +++ b/drivers/hv/channel.c
> > > > @@ -112,6 +112,70 @@ int vmbus_alloc_ring(struct vmbus_channel *newchannel,
> > > >  }
> > > >  EXPORT_SYMBOL_GPL(vmbus_alloc_ring);
> > > >
> > > > +/**
> > > > + * request_arr_init - Allocates memory for the requestor array. Each slot
> > > > + * keeps track of the next available slot in the array. Initially, each
> > > > + * slot points to the next one (as in a Linked List). The last slot
> > > > + * does not point to anything, so its value is U64_MAX by default.
> > > > + * @size The size of the array
> > > > + */
> > > > +static u64 *request_arr_init(u32 size)
> > > > +{
> > > > +     int i;
> > > > +     u64 *req_arr;
> > > > +
> > > > +     req_arr = kcalloc(size, sizeof(u64), GFP_KERNEL);
> > > > +     if (!req_arr)
> > > > +             return NULL;
> > > > +
> > > > +     for (i = 0; i < size - 1; i++)
> > > > +             req_arr[i] = i + 1;
> > > > +
> > > > +     /* Last slot (no more available slots) */
> > > > +     req_arr[i] = U64_MAX;
> > > > +
> > > > +     return req_arr;
> > > > +}
> > > > +
> > > > +/*
> > > > + * vmbus_alloc_requestor - Initializes @rqstor's fields.
> > > > + * Slot at index 0 is the first free slot.
> > > > + * @size: Size of the requestor array
> > > > + */
> > > > +static int vmbus_alloc_requestor(struct vmbus_requestor *rqstor, u32 size)
> > > > +{
> > > > +     u64 *rqst_arr;
> > > > +     unsigned long *bitmap;
> > > > +
> > > > +     rqst_arr = request_arr_init(size);
> > > > +     if (!rqst_arr)
> > > > +             return -ENOMEM;
> > > > +
> > > > +     bitmap = bitmap_zalloc(size, GFP_KERNEL);
> > > > +     if (!bitmap) {
> > > > +             kfree(rqst_arr);
> > > > +             return -ENOMEM;
> > > > +     }
> > > > +
> > > > +     rqstor->req_arr = rqst_arr;
> > > > +     rqstor->req_bitmap = bitmap;
> > > > +     rqstor->size = size;
> > > > +     rqstor->next_request_id = 0;
> > > > +     spin_lock_init(&rqstor->req_lock);
> > > > +
> > > > +     return 0;
> > > > +}
> > > > +
> > > > +/*
> > > > + * vmbus_free_requestor - Frees memory allocated for @rqstor
> > > > + * @rqstor: Pointer to the requestor struct
> > > > + */
> > > > +static void vmbus_free_requestor(struct vmbus_requestor *rqstor)
> > > > +{
> > > > +     kfree(rqstor->req_arr);
> > > > +     bitmap_free(rqstor->req_bitmap);
> > > > +}
> > > > +
> > > >  static int __vmbus_open(struct vmbus_channel *newchannel,
> > > >                      void *userdata, u32 userdatalen,
> > > >                      void (*onchannelcallback)(void *context), void *context)
> > > > @@ -132,6 +196,12 @@ static int __vmbus_open(struct vmbus_channel *newchannel,
> > > >       if (newchannel->state != CHANNEL_OPEN_STATE)
> > > >               return -EINVAL;
> > > >
> > > > +     /* Create and init requestor */
> > > > +     if (newchannel->rqstor_size) {
> > > > +             if (vmbus_alloc_requestor(&newchannel->requestor, newchannel-
> > >rqstor_size))
> > > > +                     return -ENOMEM;
> > > > +     }
> > > > +
> > >
> > > Sorry for not noticing this in the last round: this infrastructure is
> > > initialized conditionally but used unconditionally.
> > >
> > > I can think of two options here:
> > >
> > >   1. Mandate rqstor_size to be non-zero. Always initialize this
> > >      infra.
> > >   2. Modify vmbus_next_request_id and vmbus_request_addr to deal with
> > >      uninitialized state.
> > >
> > > For #2, you can simply check rqstor->size _before_ taking the lock
> > > (because it may be uninitialized, and the assumption is ->size will not
> > > change during the channel's lifetime, hence no lock is needed) and
> > > simply return the same value to the caller.
> > >
> > > Wei.
> > 
> > Right. I think option #2 would be preferable in this case, because #1 works
> > if we had a default non-zero size for cases where rqstor_size has not been
> > set to a non-zero value before calling vmbus_alloc_requestor(). For #2, what
> > do you mean by "same value"? I think we would need to return
> > VMBUS_RQST_ERROR if the size is 0, because otherwise we would be
> > returning the same guest memory address which we don't want to expose.
> > 
> 
> I'm not understanding the problem here.  Any VMbus driver that uses
> this requestID allocation mechanism must set newchannel->rqstor_size
> to a non-zero value.  But if a VMbus driver doesn't use the mechanism,
> then newchannel->rqstor_size will default to zero, and the mechanism
> will not be initialized for the channels used by that driver.  I think the
> cleanup of the mechanism handles the case where it wasn't ever
> initialized.  Or am I missing something?
> 

It is not about the cleanup function -- it handles things correctly
because kfree etc can cope with NULL pointers.

I'm referring to vmbus_next_request_id and vmbus_request_addr. They are
called in later patches regardless of whether the infrastructure is
initialized or not.

That is problematic, because the first thing those functions do is to
acquire the spinlock, which is not guaranteed to be initialized -- it is
initialized in vmbus_alloc_requestor which is called conditionally.

Wei.

> Michael

  parent reply index

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-29 20:02 [PATCH v2 0/3] Drivers: hv: vmbus: " Andres Beltran
2020-06-29 20:02 ` [PATCH v2 1/3] Drivers: hv: vmbus: Add " Andres Beltran
2020-06-29 20:46   ` Wei Liu
2020-06-29 21:51     ` Andres Beltran
2020-06-29 21:56       ` Michael Kelley
2020-06-29 22:09         ` Andres Beltran
2020-06-29 22:15         ` Wei Liu [this message]
2020-06-29 22:20       ` Wei Liu
2020-06-29 23:45         ` Andres Beltran
2020-06-30 10:09           ` Wei Liu
2020-06-30 10:17             ` Wei Liu
2020-06-30 10:48               ` Wei Liu
2020-06-29 20:02 ` [PATCH v2 2/3] scsi: storvsc: Use vmbus_requestor to generate transaction IDs " Andres Beltran
2020-06-29 20:02 ` [PATCH v2 3/3] hv_netvsc: " Andres Beltran
2020-06-29 21:33   ` Haiyang Zhang
2020-06-29 22:26     ` Wei Liu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200629221507.2ubontmtpw36b4so@liuwe-devbox-debian-v2 \
    --to=wei.liu@kernel.org \
    --cc=haiyangz@microsoft.com \
    --cc=kys@microsoft.com \
    --cc=linux-hyperv@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lkmlabelt@gmail.com \
    --cc=mikelley@microsoft.com \
    --cc=parri.andrea@gmail.com \
    --cc=sthemmin@microsoft.com \
    --cc=t-mabelt@microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-HyperV Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-hyperv/0 linux-hyperv/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-hyperv linux-hyperv/ https://lore.kernel.org/linux-hyperv \
		linux-hyperv@vger.kernel.org
	public-inbox-index linux-hyperv

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-hyperv


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git