Linux-HyperV Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v2] Drivers: hv: vmbus: Initialize unload_event statically
@ 2021-04-20  1:43 Andrea Parri (Microsoft)
  2021-04-20  4:50 ` Michael Kelley
  0 siblings, 1 reply; 3+ messages in thread
From: Andrea Parri (Microsoft) @ 2021-04-20  1:43 UTC (permalink / raw)
  To: linux-kernel
  Cc: kys, haiyangz, sthemmin, wei.liu, linux-hyperv, mikelley,
	Andrea Parri (Microsoft)

If a malicious or compromised Hyper-V sends a spurious message of type
CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will
call complete() on an uninitialized event, and cause an oops.

Reported-by: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
---
Changes since v1[1]:
  - add inline comment in vmbus_unload_response()

[1] https://lkml.kernel.org/r/20210416143932.16512-1-parri.andrea@gmail.com

 drivers/hv/channel_mgmt.c | 7 ++++++-
 drivers/hv/connection.c   | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 4c9e45d1f462c..335a10ee03a5e 100644
--- a/drivers/hv/channel_mgmt.c
+++ b/drivers/hv/channel_mgmt.c
@@ -826,6 +826,11 @@ static void vmbus_unload_response(struct vmbus_channel_message_header *hdr)
 	/*
 	 * This is a global event; just wakeup the waiting thread.
 	 * Once we successfully unload, we can cleanup the monitor state.
+	 *
+	 * NB.  A malicious or compromised Hyper-V could send a spurious
+	 * message of type CHANNELMSG_UNLOAD_RESPONSE, and trigger a call
+	 * of the complete() below.  Make sure that unload_event has been
+	 * initialized by the time this complete() is executed.
 	 */
 	complete(&vmbus_connection.unload_event);
 }
@@ -841,7 +846,7 @@ void vmbus_initiate_unload(bool crash)
 	if (vmbus_proto_version < VERSION_WIN8_1)
 		return;
 
-	init_completion(&vmbus_connection.unload_event);
+	reinit_completion(&vmbus_connection.unload_event);
 	memset(&hdr, 0, sizeof(struct vmbus_channel_message_header));
 	hdr.msgtype = CHANNELMSG_UNLOAD;
 	vmbus_post_msg(&hdr, sizeof(struct vmbus_channel_message_header),
diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c
index dc19d5ae4373c..311cd005b3be6 100644
--- a/drivers/hv/connection.c
+++ b/drivers/hv/connection.c
@@ -26,6 +26,8 @@
 
 struct vmbus_connection vmbus_connection = {
 	.conn_state		= DISCONNECTED,
+	.unload_event		= COMPLETION_INITIALIZER(
+				  vmbus_connection.unload_event),
 	.next_gpadl_handle	= ATOMIC_INIT(0xE1E10),
 
 	.ready_for_suspend_event = COMPLETION_INITIALIZER(
-- 
2.25.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* RE: [PATCH v2] Drivers: hv: vmbus: Initialize unload_event statically
  2021-04-20  1:43 [PATCH v2] Drivers: hv: vmbus: Initialize unload_event statically Andrea Parri (Microsoft)
@ 2021-04-20  4:50 ` Michael Kelley
  2021-04-20 19:40   ` Wei Liu
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Kelley @ 2021-04-20  4:50 UTC (permalink / raw)
  To: Andrea Parri (Microsoft), linux-kernel
  Cc: KY Srinivasan, Haiyang Zhang, Stephen Hemminger, wei.liu, linux-hyperv

From: Andrea Parri (Microsoft) <parri.andrea@gmail.com> Sent: Monday, April 19, 2021 6:44 PM
> 
> If a malicious or compromised Hyper-V sends a spurious message of type
> CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will
> call complete() on an uninitialized event, and cause an oops.
> 
> Reported-by: Michael Kelley <mikelley@microsoft.com>
> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
> ---
> Changes since v1[1]:
>   - add inline comment in vmbus_unload_response()
> 
> [1] https://lore.kernel.org/linux-hyperv/20210416143932.16512-1-parri.andrea@gmail.com/
> 
>  drivers/hv/channel_mgmt.c | 7 ++++++-
>  drivers/hv/connection.c   | 2 ++
>  2 files changed, 8 insertions(+), 1 deletion(-)
> 

Reviewed-by: Michael Kelley <mikelley@microsoft.com>

> diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
> index 4c9e45d1f462c..335a10ee03a5e 100644
> --- a/drivers/hv/channel_mgmt.c
> +++ b/drivers/hv/channel_mgmt.c
> @@ -826,6 +826,11 @@ static void vmbus_unload_response(struct
> vmbus_channel_message_header *hdr)
>  	/*
>  	 * This is a global event; just wakeup the waiting thread.
>  	 * Once we successfully unload, we can cleanup the monitor state.
> +	 *
> +	 * NB.  A malicious or compromised Hyper-V could send a spurious
> +	 * message of type CHANNELMSG_UNLOAD_RESPONSE, and trigger a call
> +	 * of the complete() below.  Make sure that unload_event has been
> +	 * initialized by the time this complete() is executed.
>  	 */
>  	complete(&vmbus_connection.unload_event);
>  }
> @@ -841,7 +846,7 @@ void vmbus_initiate_unload(bool crash)
>  	if (vmbus_proto_version < VERSION_WIN8_1)
>  		return;
> 
> -	init_completion(&vmbus_connection.unload_event);
> +	reinit_completion(&vmbus_connection.unload_event);
>  	memset(&hdr, 0, sizeof(struct vmbus_channel_message_header));
>  	hdr.msgtype = CHANNELMSG_UNLOAD;
>  	vmbus_post_msg(&hdr, sizeof(struct vmbus_channel_message_header),
> diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c
> index dc19d5ae4373c..311cd005b3be6 100644
> --- a/drivers/hv/connection.c
> +++ b/drivers/hv/connection.c
> @@ -26,6 +26,8 @@
> 
>  struct vmbus_connection vmbus_connection = {
>  	.conn_state		= DISCONNECTED,
> +	.unload_event		= COMPLETION_INITIALIZER(
> +				  vmbus_connection.unload_event),
>  	.next_gpadl_handle	= ATOMIC_INIT(0xE1E10),
> 
>  	.ready_for_suspend_event = COMPLETION_INITIALIZER(
> --
> 2.25.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] Drivers: hv: vmbus: Initialize unload_event statically
  2021-04-20  4:50 ` Michael Kelley
@ 2021-04-20 19:40   ` Wei Liu
  0 siblings, 0 replies; 3+ messages in thread
From: Wei Liu @ 2021-04-20 19:40 UTC (permalink / raw)
  To: Michael Kelley
  Cc: Andrea Parri (Microsoft),
	linux-kernel, KY Srinivasan, Haiyang Zhang, Stephen Hemminger,
	wei.liu, linux-hyperv

On Tue, Apr 20, 2021 at 04:50:56AM +0000, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) <parri.andrea@gmail.com> Sent: Monday, April 19, 2021 6:44 PM
> > 
> > If a malicious or compromised Hyper-V sends a spurious message of type
> > CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will
> > call complete() on an uninitialized event, and cause an oops.
> > 
> > Reported-by: Michael Kelley <mikelley@microsoft.com>
> > Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
> > ---
> > Changes since v1[1]:
> >   - add inline comment in vmbus_unload_response()
> > 
> > [1] https://lore.kernel.org/linux-hyperv/20210416143932.16512-1-parri.andrea@gmail.com/
> > 
> >  drivers/hv/channel_mgmt.c | 7 ++++++-
> >  drivers/hv/connection.c   | 2 ++
> >  2 files changed, 8 insertions(+), 1 deletion(-)
> > 
> 
> Reviewed-by: Michael Kelley <mikelley@microsoft.com>

Applied to hyperv-next. Thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-20  1:43 [PATCH v2] Drivers: hv: vmbus: Initialize unload_event statically Andrea Parri (Microsoft)
2021-04-20  4:50 ` Michael Kelley
2021-04-20 19:40   ` Wei Liu

Linux-HyperV Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-hyperv/0 linux-hyperv/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-hyperv linux-hyperv/ https://lore.kernel.org/linux-hyperv \
		linux-hyperv@vger.kernel.org
	public-inbox-index linux-hyperv

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-hyperv


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git