From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
To: "Michael S. Tsirkin" <mst@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: jasowang@redhat.com, virtualization@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, elena.reshetova@intel.com,
kirill.shutemov@linux.intel.com, Amit Shah <amit@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
alexander.shishkin@linux.intel.com
Subject: Re: [PATCH v1 4/6] virtio console: Harden control message handling
Date: Fri, 20 Jan 2023 18:41:27 +0200 [thread overview]
Message-ID: <87y1pxp39k.fsf@ubik.fi.intel.com> (raw)
In-Reply-To: <20230120074120-mutt-send-email-mst@kernel.org>
"Michael S. Tsirkin" <mst@redhat.com> writes:
> On Thu, Jan 19, 2023 at 04:22:09PM +0100, Greg Kroah-Hartman wrote:
>> On Thu, Jan 19, 2023 at 03:57:19PM +0200, Alexander Shishkin wrote:
>> > In handle_control_message(), we look at the ->event field twice, which
>> > gives a malicious VMM a window in which to switch it from PORT_ADD to
>> > PORT_REMOVE, triggering a null dereference further down the line:
>>
>> How is the other VMM have full control over the full message here?
>> Shouldn't this all have been copied into our local memory if we are
>> going to be poking around in it? Like I mentioned in my other review,
>> copy it all once and then parse it. Don't try to mess with individual
>> fields one at a time otherwise that way lies madness...
>>
>> thanks,
>>
>> greg k-h
>
> I agree and in fact, it is *already* copied since with malicious
> device we generally use a bounce buffer.
Right, but the code should probably be able to handle bad input on its
own, or what do you think?
> Having said that, the patch is actually a cleanup, e.g. it's clearer
> to byte-swap only once.
> Just don't oversell it as a security thing.
Well, security was the original motivation, so that's what it said in
the commit message. But we settled on [0] yesterday with Greg, which
would replace this patch and 2/6.
[0] https://lore.kernel.org/all/87a62eqo4h.fsf@ubik.fi.intel.com/
Regards,
--
Alex
next prev parent reply other threads:[~2023-01-20 16:41 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-19 13:57 [PATCH v1 0/6] Harden a few virtio bits Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 1/6] virtio console: Harden multiport against invalid host input Alexander Shishkin
2023-01-19 15:17 ` Greg Kroah-Hartman
2023-01-19 18:52 ` Alexander Shishkin
2023-01-19 19:18 ` Greg Kroah-Hartman
2023-01-19 19:34 ` Alexander Shishkin
2023-01-20 13:01 ` Michael S. Tsirkin
2023-01-20 15:51 ` Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 2/6] virtio console: Harden port adding Alexander Shishkin
2023-01-19 15:20 ` Greg Kroah-Hartman
2023-01-19 17:48 ` Alexander Shishkin
2023-01-19 18:57 ` Greg Kroah-Hartman
2023-01-19 20:13 ` Alexander Shishkin
2023-01-20 7:15 ` Greg Kroah-Hartman
2023-01-27 11:02 ` Michael S. Tsirkin
2023-01-27 11:55 ` Alexander Shishkin
2023-01-27 12:12 ` Michael S. Tsirkin
2023-01-27 12:47 ` Alexander Shishkin
2023-01-27 13:31 ` Greg Kroah-Hartman
2023-01-27 14:17 ` Alexander Shishkin
2023-01-27 14:37 ` Greg Kroah-Hartman
2023-01-27 14:46 ` Michael S. Tsirkin
2023-02-02 12:02 ` Reshetova, Elena
2023-01-27 13:52 ` Michael S. Tsirkin
2023-01-20 12:59 ` Michael S. Tsirkin
2023-01-19 13:57 ` [PATCH v1 3/6] virtio 9p: Fix an overflow Alexander Shishkin
2023-01-20 12:54 ` Michael S. Tsirkin
2023-01-20 16:29 ` Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 4/6] virtio console: Harden control message handling Alexander Shishkin
2023-01-19 15:22 ` Greg Kroah-Hartman
2023-01-20 12:45 ` Michael S. Tsirkin
2023-01-20 16:41 ` Alexander Shishkin [this message]
2023-01-27 10:58 ` Michael S. Tsirkin
2023-01-27 12:04 ` Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 5/6] virtio_net: Guard against buffer length overflow in xdp_linearize_page() Alexander Shishkin
2023-01-20 13:09 ` Michael S. Tsirkin
2023-01-19 13:57 ` [PATCH v1 6/6] virtio_ring: Prevent bounds check bypass on descriptor index Alexander Shishkin
2023-01-20 12:56 ` Michael S. Tsirkin
2023-01-20 11:55 ` [PATCH v1 0/6] Harden a few virtio bits Michael S. Tsirkin
2023-01-20 12:32 ` Alexander Shishkin
2023-01-20 12:40 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y1pxp39k.fsf@ubik.fi.intel.com \
--to=alexander.shishkin@linux.intel.com \
--cc=amit@kernel.org \
--cc=arnd@arndb.de \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).