From: "Michael S. Tsirkin" <mst@redhat.com>
To: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
jasowang@redhat.com, virtualization@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, elena.reshetova@intel.com,
kirill.shutemov@linux.intel.com, Amit Shah <amit@kernel.org>,
Arnd Bergmann <arnd@arndb.de>
Subject: Re: [PATCH v1 4/6] virtio console: Harden control message handling
Date: Fri, 27 Jan 2023 05:58:30 -0500 [thread overview]
Message-ID: <20230127055514-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <87y1pxp39k.fsf@ubik.fi.intel.com>
On Fri, Jan 20, 2023 at 06:41:27PM +0200, Alexander Shishkin wrote:
> "Michael S. Tsirkin" <mst@redhat.com> writes:
>
> > On Thu, Jan 19, 2023 at 04:22:09PM +0100, Greg Kroah-Hartman wrote:
> >> On Thu, Jan 19, 2023 at 03:57:19PM +0200, Alexander Shishkin wrote:
> >> > In handle_control_message(), we look at the ->event field twice, which
> >> > gives a malicious VMM a window in which to switch it from PORT_ADD to
> >> > PORT_REMOVE, triggering a null dereference further down the line:
> >>
> >> How is the other VMM have full control over the full message here?
> >> Shouldn't this all have been copied into our local memory if we are
> >> going to be poking around in it? Like I mentioned in my other review,
> >> copy it all once and then parse it. Don't try to mess with individual
> >> fields one at a time otherwise that way lies madness...
> >>
> >> thanks,
> >>
> >> greg k-h
> >
> > I agree and in fact, it is *already* copied since with malicious
> > device we generally use a bounce buffer.
>
> Right, but the code should probably be able to handle bad input on its
> own, or what do you think?
Basically I think it's ok to look at the same field twice unless
it's mapped as dma coherent. Is that what you are asking about?
> > Having said that, the patch is actually a cleanup, e.g. it's clearer
> > to byte-swap only once.
> > Just don't oversell it as a security thing.
>
> Well, security was the original motivation, so that's what it said in
> the commit message. But we settled on [0] yesterday with Greg, which
> would replace this patch and 2/6.
>
> [0] https://lore.kernel.org/all/87a62eqo4h.fsf@ubik.fi.intel.com/
>
> Regards,
At this point I will drop this series and pls post new series
with just the stuff you want included. Include acks if patches
are unchanged.
Thanks!
> --
> Alex
next prev parent reply other threads:[~2023-01-27 10:59 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-19 13:57 [PATCH v1 0/6] Harden a few virtio bits Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 1/6] virtio console: Harden multiport against invalid host input Alexander Shishkin
2023-01-19 15:17 ` Greg Kroah-Hartman
2023-01-19 18:52 ` Alexander Shishkin
2023-01-19 19:18 ` Greg Kroah-Hartman
2023-01-19 19:34 ` Alexander Shishkin
2023-01-20 13:01 ` Michael S. Tsirkin
2023-01-20 15:51 ` Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 2/6] virtio console: Harden port adding Alexander Shishkin
2023-01-19 15:20 ` Greg Kroah-Hartman
2023-01-19 17:48 ` Alexander Shishkin
2023-01-19 18:57 ` Greg Kroah-Hartman
2023-01-19 20:13 ` Alexander Shishkin
2023-01-20 7:15 ` Greg Kroah-Hartman
2023-01-27 11:02 ` Michael S. Tsirkin
2023-01-27 11:55 ` Alexander Shishkin
2023-01-27 12:12 ` Michael S. Tsirkin
2023-01-27 12:47 ` Alexander Shishkin
2023-01-27 13:31 ` Greg Kroah-Hartman
2023-01-27 14:17 ` Alexander Shishkin
2023-01-27 14:37 ` Greg Kroah-Hartman
2023-01-27 14:46 ` Michael S. Tsirkin
2023-02-02 12:02 ` Reshetova, Elena
2023-01-27 13:52 ` Michael S. Tsirkin
2023-01-20 12:59 ` Michael S. Tsirkin
2023-01-19 13:57 ` [PATCH v1 3/6] virtio 9p: Fix an overflow Alexander Shishkin
2023-01-20 12:54 ` Michael S. Tsirkin
2023-01-20 16:29 ` Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 4/6] virtio console: Harden control message handling Alexander Shishkin
2023-01-19 15:22 ` Greg Kroah-Hartman
2023-01-20 12:45 ` Michael S. Tsirkin
2023-01-20 16:41 ` Alexander Shishkin
2023-01-27 10:58 ` Michael S. Tsirkin [this message]
2023-01-27 12:04 ` Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 5/6] virtio_net: Guard against buffer length overflow in xdp_linearize_page() Alexander Shishkin
2023-01-20 13:09 ` Michael S. Tsirkin
2023-01-19 13:57 ` [PATCH v1 6/6] virtio_ring: Prevent bounds check bypass on descriptor index Alexander Shishkin
2023-01-20 12:56 ` Michael S. Tsirkin
2023-01-20 11:55 ` [PATCH v1 0/6] Harden a few virtio bits Michael S. Tsirkin
2023-01-20 12:32 ` Alexander Shishkin
2023-01-20 12:40 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230127055514-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=amit@kernel.org \
--cc=arnd@arndb.de \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).