From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F219C5ACAE for ; Wed, 11 Sep 2019 12:16:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 35A92206A1 for ; Wed, 11 Sep 2019 12:16:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1568204193; bh=v6h9l64+v1cimCqTdxeSw2mjmGNumwWJMm71YqBKiew=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=A0W5VbX+m2kyWOJ2zPcIkMxXo7U3H1EkLARmLhmbjvEFVqRqC2ugB1X7uwnUwZyq6 YV/pHomHt2qh5Zhx7ibhWF1vxXBSfG+0SBurDXVBr/DdVcDWcEmjosQ2A9ddULX6Pr yJrlU77mUQETc1SInr+nWrGRexMupg3jip7zJgPM= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727744AbfIKMQa (ORCPT ); Wed, 11 Sep 2019 08:16:30 -0400 Received: from mx2.suse.de ([195.135.220.15]:55232 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726911AbfIKMQa (ORCPT ); Wed, 11 Sep 2019 08:16:30 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id A6F95B620; Wed, 11 Sep 2019 12:16:28 +0000 (UTC) Date: Wed, 11 Sep 2019 14:16:28 +0200 From: Michal Hocko To: "Michael S. Tsirkin" Cc: linux-kernel@vger.kernel.org, Jason Wang , kvm@vger.kernel.org, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org Subject: Re: [PATCH v2] vhost: block speculation of translated descriptors Message-ID: <20190911121628.GT4023@dhcp22.suse.cz> References: <20190911120908.28410-1-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190911120908.28410-1-mst@redhat.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Wed 11-09-19 08:10:00, Michael S. Tsirkin wrote: > iovec addresses coming from vhost are assumed to be > pre-validated, but in fact can be speculated to a value > out of range. > > Userspace address are later validated with array_index_nospec so we can > be sure kernel info does not leak through these addresses, but vhost > must also not leak userspace info outside the allowed memory table to > guests. > > Following the defence in depth principle, make sure > the address is not validated out of node range. > > Signed-off-by: Michael S. Tsirkin > Acked-by: Jason Wang > Tested-by: Jason Wang no need to mark fo stable? Other spectre fixes tend to be backported even when the security implications are not really clear. The risk should be low and better to be covered in case. > --- > > changes from v1: fix build on 32 bit > > drivers/vhost/vhost.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 5dc174ac8cac..34ea219936e3 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, > _iov = iov + ret; > size = node->size - addr + node->start; > _iov->iov_len = min((u64)len - s, size); > - _iov->iov_base = (void __user *)(unsigned long) > - (node->userspace_addr + addr - node->start); > + _iov->iov_base = (void __user *) > + ((unsigned long)node->userspace_addr + > + array_index_nospec((unsigned long)(addr - node->start), > + node->size)); > s += size; > addr += size; > ++ret; > -- > MST -- Michal Hocko SUSE Labs