From: Gleb Natapov <gleb@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Arnd Bergmann <arnd@arndb.de>,
virtualization@lists.linux-foundation.org,
netdev@vger.kernel.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, mingo@elte.hu, linux-mm@kvack.org,
akpm@linux-foundation.org, hpa@zytor.com,
gregory.haskins@gmail.com, Or Gerlitz <ogerlitz@voltaire.com>
Subject: Re: [PATCHv3 2/2] vhost_net: a kernel-level virtio server
Date: Fri, 21 Aug 2009 16:20:22 +0300 [thread overview]
Message-ID: <20090821132022.GA6966@redhat.com> (raw)
In-Reply-To: <20090820133817.GA7834@redhat.com>
On Thu, Aug 20, 2009 at 04:38:17PM +0300, Michael S. Tsirkin wrote:
> On Thu, Aug 20, 2009 at 03:10:54PM +0200, Arnd Bergmann wrote:
> > On Thursday 20 August 2009, Michael S. Tsirkin wrote:
> > > On Wed, Aug 19, 2009 at 05:27:07PM +0200, Arnd Bergmann wrote:
> > > > On Wednesday 19 August 2009, Michael S. Tsirkin wrote:
> > > > > On Wed, Aug 19, 2009 at 03:46:44PM +0200, Arnd Bergmann wrote:
> > > > > > On Wednesday 19 August 2009, Michael S. Tsirkin wrote:
> > > > > >
> > > > > > Leaving that aside for now, you could replace VHOST_NET_SET_SOCKET,
> > > > > > VHOST_SET_OWNER, VHOST_RESET_OWNER
> > > > >
> > > > > SET/RESET OWNER is still needed: otherwise if you share a descriptor
> > > > > with another process, it can corrupt your memory.
> > > >
> > > > How? The point of using user threads is that you only ever access the
> > > > address space of the thread that called the ioctl.
> > >
> > > Think about this example with processes A and B sharing an fd:
> > > A does SET_USED_ADDRESS
> > > B does SET_USED_ADDRESS
> > > A does VHOST_NET_SPLICE
> > > See how stuff gets written into a random place in memory of A?
> >
> > Yes, I didn't think of that. It doesn't seem like a big problem
> > though, because it's a clear misuse of the API (I guess your
> > current code returns an error for one of the SET_USED_ADDRESS
> > ioctls), so I would see it as a classic garbage-in garbage-out
> > case.
> >
> > It may even work in the case that the sharing of the fd resulted
> > from a fork, where the address contains the same buffer in both
> > processes. I can't think of a reason why you would want to use
> > it like that though.
>
> It doesn't matter that I don't want this: allowing 1 process corrupt
> another's memory is a security issue. Once you get an fd, you want to
> be able to use it without worrying that a bug in another process will
> crash yours.
>
If B's SET_USED_ADDRESS fails how one process can corrupt a memory of
other process?
--
Gleb.
WARNING: multiple messages have this Message-ID (diff)
From: Gleb Natapov <gleb@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Arnd Bergmann <arnd@arndb.de>,
virtualization@lists.linux-foundation.org,
netdev@vger.kernel.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, mingo@elte.hu, linux-mm@kvack.org,
akpm@linux-foundation.org, hpa@zytor.com,
gregory.haskins@gmail.com, Or Gerlitz <ogerlitz@voltaire.com>
Subject: Re: [PATCHv3 2/2] vhost_net: a kernel-level virtio server
Date: Fri, 21 Aug 2009 16:20:22 +0300 [thread overview]
Message-ID: <20090821132022.GA6966@redhat.com> (raw)
In-Reply-To: <20090820133817.GA7834@redhat.com>
On Thu, Aug 20, 2009 at 04:38:17PM +0300, Michael S. Tsirkin wrote:
> On Thu, Aug 20, 2009 at 03:10:54PM +0200, Arnd Bergmann wrote:
> > On Thursday 20 August 2009, Michael S. Tsirkin wrote:
> > > On Wed, Aug 19, 2009 at 05:27:07PM +0200, Arnd Bergmann wrote:
> > > > On Wednesday 19 August 2009, Michael S. Tsirkin wrote:
> > > > > On Wed, Aug 19, 2009 at 03:46:44PM +0200, Arnd Bergmann wrote:
> > > > > > On Wednesday 19 August 2009, Michael S. Tsirkin wrote:
> > > > > >
> > > > > > Leaving that aside for now, you could replace VHOST_NET_SET_SOCKET,
> > > > > > VHOST_SET_OWNER, VHOST_RESET_OWNER
> > > > >
> > > > > SET/RESET OWNER is still needed: otherwise if you share a descriptor
> > > > > with another process, it can corrupt your memory.
> > > >
> > > > How? The point of using user threads is that you only ever access the
> > > > address space of the thread that called the ioctl.
> > >
> > > Think about this example with processes A and B sharing an fd:
> > > A does SET_USED_ADDRESS
> > > B does SET_USED_ADDRESS
> > > A does VHOST_NET_SPLICE
> > > See how stuff gets written into a random place in memory of A?
> >
> > Yes, I didn't think of that. It doesn't seem like a big problem
> > though, because it's a clear misuse of the API (I guess your
> > current code returns an error for one of the SET_USED_ADDRESS
> > ioctls), so I would see it as a classic garbage-in garbage-out
> > case.
> >
> > It may even work in the case that the sharing of the fd resulted
> > from a fork, where the address contains the same buffer in both
> > processes. I can't think of a reason why you would want to use
> > it like that though.
>
> It doesn't matter that I don't want this: allowing 1 process corrupt
> another's memory is a security issue. Once you get an fd, you want to
> be able to use it without worrying that a bug in another process will
> crash yours.
>
If B's SET_USED_ADDRESS fails how one process can corrupt a memory of
other process?
--
Gleb.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2009-08-21 13:24 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1250187913.git.mst@redhat.com>
2009-08-13 18:29 ` [PATCHv3 1/2] mm: export use_mm/unuse_mm to modules Michael S. Tsirkin
2009-08-13 18:29 ` Michael S. Tsirkin
2009-08-13 18:29 ` Michael S. Tsirkin
2009-08-13 18:29 ` Michael S. Tsirkin
2009-08-13 18:29 ` [PATCHv3 2/2] vhost_net: a kernel-level virtio server Michael S. Tsirkin
2009-08-13 18:29 ` Michael S. Tsirkin
2009-08-13 18:29 ` Michael S. Tsirkin
2009-08-13 18:29 ` Michael S. Tsirkin
2009-08-14 11:40 ` Arnd Bergmann
2009-08-14 11:40 ` Arnd Bergmann
2009-08-14 11:40 ` Arnd Bergmann
2009-08-16 6:51 ` Michael S. Tsirkin
2009-08-16 6:51 ` Michael S. Tsirkin
2009-08-16 6:51 ` Michael S. Tsirkin
2009-08-19 9:04 ` Arnd Bergmann
2009-08-19 9:04 ` Arnd Bergmann
2009-08-19 13:04 ` Michael S. Tsirkin
2009-08-19 13:04 ` Michael S. Tsirkin
2009-08-19 13:46 ` Arnd Bergmann
2009-08-19 13:46 ` Arnd Bergmann
2009-08-19 14:20 ` Michael S. Tsirkin
2009-08-19 14:20 ` Michael S. Tsirkin
2009-08-19 15:27 ` Arnd Bergmann
2009-08-19 15:27 ` Arnd Bergmann
2009-08-20 8:31 ` Michael S. Tsirkin
2009-08-20 8:31 ` Michael S. Tsirkin
2009-08-20 8:31 ` Michael S. Tsirkin
2009-08-20 13:10 ` Arnd Bergmann
2009-08-20 13:10 ` Arnd Bergmann
2009-08-20 13:10 ` Arnd Bergmann
2009-08-20 13:38 ` Michael S. Tsirkin
2009-08-20 13:38 ` Michael S. Tsirkin
2009-08-20 14:31 ` Arnd Bergmann
2009-08-20 14:31 ` Arnd Bergmann
2009-08-20 14:42 ` Michael S. Tsirkin
2009-08-20 14:42 ` Michael S. Tsirkin
2009-08-20 15:10 ` Arnd Bergmann
2009-08-20 15:10 ` Arnd Bergmann
2009-08-20 15:10 ` Arnd Bergmann
2009-08-20 14:42 ` Michael S. Tsirkin
2009-08-20 14:31 ` Arnd Bergmann
2009-08-21 13:20 ` Gleb Natapov [this message]
2009-08-21 13:20 ` Gleb Natapov
2009-08-21 13:20 ` Gleb Natapov
2009-08-20 13:38 ` Michael S. Tsirkin
2009-08-19 15:27 ` Arnd Bergmann
2009-08-19 14:20 ` Michael S. Tsirkin
2009-08-19 13:46 ` Arnd Bergmann
2009-08-19 13:04 ` Michael S. Tsirkin
2009-08-19 9:04 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090821132022.GA6966@redhat.com \
--to=gleb@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=gregory.haskins@gmail.com \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@elte.hu \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=ogerlitz@voltaire.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.