From: Stefan Lippers-Hollmann <s.l-h@gmx.de>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
"Michael S. Tsirkin" <mst@redhat.com>,
Jason Wang <jasowang@redhat.com>
Subject: Re: [PATCH 5.2 36/37] vhost: block speculation of translated descriptors
Date: Sat, 14 Sep 2019 02:54:11 +0200 [thread overview]
Message-ID: <20190914025411.3016e3d9@mir> (raw)
In-Reply-To: <20190913130522.155505270@linuxfoundation.org>
Hi
On 2019-09-13, Greg Kroah-Hartman wrote:
> From: Michael S. Tsirkin <mst@redhat.com>
>
> commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream.
>
> iovec addresses coming from vhost are assumed to be
> pre-validated, but in fact can be speculated to a value
> out of range.
>
> Userspace address are later validated with array_index_nospec so we can
> be sure kernel info does not leak through these addresses, but vhost
> must also not leak userspace info outside the allowed memory table to
> guests.
>
> Following the defence in depth principle, make sure
> the address is not validated out of node range.
[...]
This fails to compile as part of 5.2.15-rc1 on i386 (amd64 is fine), using
gcc 9.2.1. Reverting just this patch results in a successful build again.
> --- a/drivers/vhost/vhost.c
> +++ b/drivers/vhost/vhost.c
> @@ -1965,8 +1965,10 @@ static int translate_desc(struct vhost_v
> _iov = iov + ret;
> size = node->size - addr + node->start;
> _iov->iov_len = min((u64)len - s, size);
> - _iov->iov_base = (void __user *)(unsigned long)
> - (node->userspace_addr + addr - node->start);
> + _iov->iov_base = (void __user *)
> + ((unsigned long)node->userspace_addr +
> + array_index_nospec((unsigned long)(addr - node->start),
> + node->size));
> s += size;
> addr += size;
> ++ret;
>
>
CC [M] drivers/vhost/vhost.o
In file included from /build/linux-5.2/include/linux/export.h:45,
from /build/linux-5.2/include/linux/linkage.h:7,
from /build/linux-5.2/include/linux/kernel.h:8,
from /build/linux-5.2/include/linux/list.h:9,
from /build/linux-5.2/include/linux/wait.h:7,
from /build/linux-5.2/include/linux/eventfd.h:13,
from /build/linux-5.2/drivers/vhost/vhost.c:13:
/build/linux-5.2/drivers/vhost/vhost.c: In function 'translate_desc':
/build/linux-5.2/include/linux/compiler.h:345:38: error: call to '__compiletime_assert_1970' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
345 | _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
| ^
/build/linux-5.2/include/linux/compiler.h:326:4: note: in definition of macro '__compiletime_assert'
326 | prefix ## suffix(); \
| ^~~~~~
/build/linux-5.2/include/linux/compiler.h:345:2: note: in expansion of macro '_compiletime_assert'
345 | _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
| ^~~~~~~~~~~~~~~~~~~
/build/linux-5.2/include/linux/build_bug.h:39:37: note: in expansion of macro 'compiletime_assert'
39 | #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
| ^~~~~~~~~~~~~~~~~~
/build/linux-5.2/include/linux/build_bug.h:50:2: note: in expansion of macro 'BUILD_BUG_ON_MSG'
50 | BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition)
| ^~~~~~~~~~~~~~~~
/build/linux-5.2/include/linux/nospec.h:56:2: note: in expansion of macro 'BUILD_BUG_ON'
56 | BUILD_BUG_ON(sizeof(_s) > sizeof(long)); \
| ^~~~~~~~~~~~
/build/linux-5.2/drivers/vhost/vhost.c:1970:5: note: in expansion of macro 'array_index_nospec'
1970 | array_index_nospec((unsigned long)(addr - node->start),
| ^~~~~~~~~~~~~~~~~~
make[3]: *** [/build/linux-5.2/scripts/Makefile.build:285: drivers/vhost/vhost.o] Error 1
make[2]: *** [/build/linux-5.2/scripts/Makefile.build:489: drivers/vhost] Error 2
make[1]: *** [/build/linux-5.2/Makefile:1072: drivers] Error 2
make: *** [/build/linux-5.2/Makefile:179: sub-make] Error 2
Regards
Stefan Lippers-Hollmann
next prev parent reply other threads:[~2019-09-14 0:47 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-13 13:07 [PATCH 5.2 00/37] 5.2.15-stable review Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 01/37] gpio: pca953x: correct type of reg_direction Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 02/37] gpio: pca953x: use pca953x_read_regs instead of regmap_bulk_read Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 03/37] ALSA: hda - Fix potential endless loop at applying quirks Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 04/37] ALSA: hda/realtek - Fix overridden device-specific initialization Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 05/37] ALSA: hda/realtek - Add quirk for HP Pavilion 15 Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 06/37] ALSA: hda/realtek - Enable internal speaker & headset mic of ASUS UX431FL Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 07/37] ALSA: hda/realtek - Fix the problem of two front mics on a ThinkCentre Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 08/37] sched/fair: Dont assign runtime for throttled cfs_rq Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 09/37] drm/vmwgfx: Fix double free in vmw_recv_msg() Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 10/37] drm/nouveau/sec2/gp102: add missing MODULE_FIRMWAREs Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 11/37] vhost/test: fix build for vhost test Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 12/37] vhost/test: fix build for vhost test - again Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 13/37] powerpc/64e: Drop stale call to smp_processor_id() which hangs SMP startup Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 14/37] powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 15/37] powerpc/tm: Fix restoring FP/VMX facility incorrectly on interrupts Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 16/37] batman-adv: fix uninit-value in batadv_netlink_get_ifindex() Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 17/37] batman-adv: Only read OGM tvlv_len after buffer len check Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 18/37] bcache: only clear BTREE_NODE_dirty bit when it is set Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 19/37] bcache: add comments for mutex_lock(&b->write_lock) Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 20/37] bcache: fix race in btree_flush_write() Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 21/37] IB/rdmavt: Add new completion inline Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 22/37] IB/{rdmavt, qib, hfi1}: Convert to new completion API Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 23/37] IB/hfi1: Unreserve a flushed OPFN request Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 24/37] drm/i915: Disable SAMPLER_STATE prefetching on all Gen11 steppings Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 25/37] drm/i915: Make sure cdclk is high enough for DP audio on VLV/CHV Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 26/37] mmc: sdhci-sprd: Fix the incorrect soft reset operation when runtime resuming Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 27/37] usb: chipidea: imx: add imx7ulp support Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 28/37] usb: chipidea: imx: fix EPROBE_DEFER support during driver probe Greg Kroah-Hartman
2019-09-13 13:07 ` Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 29/37] virtio/s390: fix race on airq_areas[] Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 30/37] drm/i915: Support flags in whitlist WAs Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 31/37] drm/i915: Support whitelist workarounds on all engines Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 32/37] drm/i915: whitelist PS_(DEPTH|INVOCATION)_COUNT Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 33/37] drm/i915: Add whitelist workarounds for ICL Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 34/37] drm/i915/icl: whitelist PS_(DEPTH|INVOCATION)_COUNT Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 35/37] Btrfs: fix unwritten extent buffers and hangs on future writeback attempts Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 36/37] vhost: block speculation of translated descriptors Greg Kroah-Hartman
2019-09-14 0:54 ` Stefan Lippers-Hollmann [this message]
2019-09-14 5:50 ` Greg Kroah-Hartman
2019-09-14 7:15 ` Stefan Lippers-Hollmann
2019-09-14 8:08 ` Greg Kroah-Hartman
2019-09-15 9:34 ` Thomas Backlund
2019-09-15 13:37 ` Greg Kroah-Hartman
2019-09-13 13:07 ` [PATCH 5.2 37/37] vhost: make sure log_num < in_num Greg Kroah-Hartman
2019-09-13 19:39 ` [PATCH 5.2 00/37] 5.2.15-stable review kernelci.org bot
2019-09-14 4:26 ` Naresh Kamboju
2019-09-14 7:43 ` Greg Kroah-Hartman
2019-09-14 14:08 ` Guenter Roeck
2019-09-15 13:34 ` Greg Kroah-Hartman
2019-09-16 9:25 ` Jon Hunter
2019-09-16 9:25 ` Jon Hunter
2019-09-16 10:41 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190914025411.3016e3d9@mir \
--to=s.l-h@gmx.de \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.