From: "Michael S. Tsirkin" <mst@redhat.com>
To: Carlos Bilbao <carlos.bilbao.osdev@gmail.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"David Hildenbrand (Arm)" <david@kernel.org>,
"Hari Mishal" <harimishal1@gmail.com>,
"Jason Wang" <jasowangio@gmail.com>,
"Xuan Zhuo" <xuanzhuo@linux.alibaba.com>,
"Eugenio Pérez" <eperezma@redhat.com>,
virtualization@lists.linux.dev, linux-kernel@vger.kernel.org,
elena.reshetova@intel.com, huster@cs.uni-goettingen.de,
mhollick@seemoo.de, jiska.classen@hpi.de
Subject: Re: [PATCH v2 1/4] virtio-mem: validate device-reported block size
Date: Sat, 18 Jul 2026 13:21:20 -0400 [thread overview]
Message-ID: <20260718131715-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <ae5bc86b-cb8d-4530-9e58-d285007deac0@gmail.com>
On Sat, Jul 18, 2026 at 10:07:30AM -0700, Carlos Bilbao wrote:
> On 7/17/26 22:29, Greg Kroah-Hartman wrote:
>
> > On Fri, Jul 17, 2026 at 08:31:09PM -0700, Carlos Bilbao wrote:
> > > Historically, one of the biggest criticisms of coco, especially around
> > > device hardening, was that there were too many values that a
> > > malicious/buggy device could misreport, making it a losing battle. That is
> > > no longer the case with LLMs, and we have the advantage (and challenge) of
> > > open-source dev, which allows us to receive many of these fixes "for free".
> > > If others want to burn their tokens, let them :)
> > I have lots of tokens to burn :)
> >
> > So along those lines, any suggestions on how best to fuzz these code
> > paths? Any workloads you all use for testing that I can take advantage
> > of?
>
>
> We've the virtio-mem config struct layout and the kernel source, so for
> obvious fixes like a NULL check, static analysis is better than fuzzing.
> Claude took a few mins to find me two examples:
>
> Patch 1: virtio-mem: reject non-power-of-two device_block_size
> This one is for virtio_mem_init() to check if
> !is_power_of_2(vm->device_block_size)
>
> Patch 2: virto-mem: validate region_size and usable_region_size
> THis one checks region_size != 0 and vm->usable_reion_size >
> vm->region_size.
>
> An endless factory of "silly" checks like these are low hanging fruit.
At the same time, these checks don't actually help within the coco
threat model, do they?
> Now, for harder bugs, looking around for fuzz options, VirtFuzz [1] looks
> like a great candidate for those interested in pursuing this direction.
>
>
> Their PoC fuzzes wireless/Bluetooth stack, but nothing our AI overlords
> can't quickly adapt for virtio-mem and other virtio drivers; the JSON
> definition to describe device behavior is easily extensible. Their threat
> model [2] describes an external attacker, but in the context of coco, the
> virtio device itself is the attacker.
What we need, however, is to exclude DoS attacks - these are outside the
threat model. If people try to address all DoS attacks uncritically we
just get a churn of changes which just might introduce issues of their
own.
Example:
BUG_ON(!is_power_of_2(....));
panics, non exploitable.
if(!is_power_of_2(....))
goto error;
can become exploitable if the cleanup is done wrong.
> Here's a vibe coded PR of what I mean:
>
> https://github.com/seemoo-lab/VirtFuzz/pull/7
>
> CCed the creators/authors, thanks for open sourcing this!
>
> Thanks,
> Carlos
>
> [1] https://github.com/seemoo-lab/VirtFuzz
>
> On 7/17/26 22:29, Greg Kroah-Hartman wrote:
>
> > On Fri, Jul 17, 2026 at 08:31:09PM -0700, Carlos Bilbao wrote:
> > > Historically, one of the biggest criticisms of coco, especially around
> > > device hardening, was that there were too many values that a
> > > malicious/buggy device could misreport, making it a losing battle. That is
> > > no longer the case with LLMs, and we have the advantage (and challenge) of
> > > open-source dev, which allows us to receive many of these fixes "for free".
> > > If others want to burn their tokens, let them :)
> > I have lots of tokens to burn :)
> >
> > So along those lines, any suggestions on how best to fuzz these code
> > paths? Any workloads you all use for testing that I can take advantage
> > of?
>
>
> We've the virto-mem config struct layout and the kernel source, so for
> obvious fixes like a NULL check, static analysis is better than fuzzing.
> Claude took a few mins to find me two examples:
>
> Patch 1: virtio-mem: reject non-power-of-two device_block_size
> This one is for virtio_mem_init() to check if
> !is_power_of_2(vm->device_block_size)
>
> Patch 2: virto-mem: validate region_size and usable_region_size
> THis one checks region_size != 0 and vm->usable_reion_size >
> vm->region_size.
>
> An endless factory of "silly" checks like these are low hanging fruit.
>
> Now, for harder bugs, looking around for fuzz options, VirtFuzz [1] looks
> like a great candidate for those interested in pursuing this direction.
>
>
> Their PoC fuzzes wireless/Bluetooth stack, but nothing our AI overlords
> can't quickly adapt for virtio-mem and other virtio drivers; the JSON
> definition to describe device behavior is easily extensible. Their threat
> model [2] describes an external attacker, but in the context of coco, the
> virtio device itself is the attacker. Here's a vibe coded PR of what I mean:
>
> https://github.com/seemoo-lab/VirtFuzz/pull/7
>
> CCed the creators/authors, thanks for open sourcing this!
>
> Thanks,
> Carlos
>
> [1] https://github.com/seemoo-lab/VirtFuzz
> [2] https://www.computer.org/csdl/proceedings-article/sp/2024/313000a024/1RjEa0y9RMQ
>
>
> > thanks,
> >
> > greg k-h
>
> [2] https://www.computer.org/csdl/proceedings-article/sp/2024/313000a024/1RjEa0y9RMQ
>
>
> >
> > thanks,
> >
> > greg k-h
next prev parent reply other threads:[~2026-07-18 17:21 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-15 14:22 [PATCH 0/4] virtio: validate device-reported values across drivers Hari Mishal
2026-07-15 14:22 ` [PATCH 1/4] virtio-mem: validate device-reported block size Hari Mishal
2026-07-15 14:43 ` sashiko-bot
2026-07-15 15:57 ` Michael S. Tsirkin
2026-07-15 16:41 ` [PATCH v2 " Hari Mishal
2026-07-16 8:55 ` David Hildenbrand (Arm)
2026-07-16 14:18 ` Greg Kroah-Hartman
2026-07-16 15:59 ` David Hildenbrand (Arm)
2026-07-17 5:03 ` Greg Kroah-Hartman
2026-07-17 5:48 ` Michael S. Tsirkin
2026-07-17 8:39 ` David Hildenbrand (Arm)
2026-07-17 8:59 ` Michael S. Tsirkin
2026-07-17 9:14 ` Greg Kroah-Hartman
2026-07-17 10:10 ` Michael S. Tsirkin
2026-07-17 10:15 ` Greg Kroah-Hartman
2026-07-17 10:21 ` David Hildenbrand (Arm)
2026-07-17 10:28 ` Michael S. Tsirkin
2026-07-17 10:44 ` Greg Kroah-Hartman
2026-07-17 11:00 ` David Hildenbrand (Arm)
2026-07-17 10:23 ` Michael S. Tsirkin
2026-07-17 10:46 ` Greg Kroah-Hartman
2026-07-17 10:52 ` Michael S. Tsirkin
2026-07-17 12:07 ` Greg Kroah-Hartman
2026-07-17 13:08 ` Michael S. Tsirkin
2026-07-17 14:31 ` Greg Kroah-Hartman
2026-07-17 15:27 ` Michael Kelley
2026-07-17 16:28 ` Michael S. Tsirkin
2026-07-17 16:30 ` Michael S. Tsirkin
2026-07-18 3:31 ` Carlos Bilbao
2026-07-18 5:29 ` Greg Kroah-Hartman
2026-07-18 17:07 ` Carlos Bilbao
2026-07-18 17:21 ` Michael S. Tsirkin [this message]
2026-07-18 17:41 ` Carlos Bilbao
2026-07-15 14:22 ` [PATCH 2/4] virtio_input: validate device-reported multitouch slot count Hari Mishal
2026-07-15 14:35 ` sashiko-bot
2026-07-15 15:50 ` Michael S. Tsirkin
2026-07-15 16:07 ` Hari Mishal
2026-07-15 16:11 ` Michael S. Tsirkin
2026-07-15 18:25 ` Dmitry Torokhov
[not found] ` <CAMmC+=DXS=xs0CZyf+N-71NT8D51xQYatBv=dfVQC1aBohDdmA@mail.gmail.com>
[not found] ` <alkTnRb9qhgcMGGi@google.com>
2026-07-16 17:33 ` Dmitry Torokhov
2026-07-15 16:41 ` [PATCH v2 " Hari Mishal
2026-07-15 14:22 ` [PATCH 3/4] virtio_console: avoid NULL portdev dereference in in_intr() Hari Mishal
2026-07-15 14:37 ` sashiko-bot
2026-07-15 14:22 ` [PATCH 4/4] virtio_console: take a kref in find_port_by_vq() to fix port UAF Hari Mishal
2026-07-15 14:38 ` sashiko-bot
2026-07-15 14:42 ` [PATCH v2 " Hari Mishal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260718131715-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=carlos.bilbao.osdev@gmail.com \
--cc=david@kernel.org \
--cc=elena.reshetova@intel.com \
--cc=eperezma@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=harimishal1@gmail.com \
--cc=huster@cs.uni-goettingen.de \
--cc=jasowangio@gmail.com \
--cc=jiska.classen@hpi.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mhollick@seemoo.de \
--cc=virtualization@lists.linux.dev \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.