From: James Hogan <james.hogan@imgtec.com>
To: Andreas Herrmann <herrmann.der.user@googlemail.com>
Cc: Andreas Herrmann <andreas.herrmann@caviumnetworks.com>,
Pekka Enberg <penberg@kernel.org>,
David Daney <ddaney.cavm@gmail.com>, <kvm@vger.kernel.org>,
<linux-mips@linux-mips.org>, David Daney <david.daney@cavium.com>
Subject: Re: [PATCH 05/11] kvm tools, mips: Add MIPS support
Date: Mon, 12 May 2014 15:09:58 +0100 [thread overview]
Message-ID: <5370D636.3020903@imgtec.com> (raw)
In-Reply-To: <20140512130110.GA17255@alberich>
Hi Andreas,
On 12/05/14 14:01, Andreas Herrmann wrote:
> On Fri, May 09, 2014 at 10:15:29PM +0100, James Hogan wrote:
>> On 06/05/14 16:51, Andreas Herrmann wrote:
>>> +static bool kvm_cpu__hypercall_write_cons(struct kvm_cpu *vcpu)
>>> +{
>>> + int term = (int)vcpu->kvm_run->hypercall.args[0];
>>> + u64 addr = vcpu->kvm_run->hypercall.args[1];
>>> + int len = (int)vcpu->kvm_run->hypercall.args[2];
>>> + char *host_addr;
>>> +
>>> + if (term < 0 || term >= TERM_MAX_DEVS) {
>>> + pr_warning("hypercall_write_cons term out of range <%d>", term);
>>> + return false;
>>> + }
>>> + if (len <= 0) {
>>> + pr_warning("hypercall_write_cons len out of range <%d>", len);
>>> + return false;
>>> + }
>>> +
>>> + if ((addr & 0xffffffffc0000000ull) == 0xffffffff80000000ull)
>>> + addr &= 0x1ffffffful; /* Convert KSEG{0,1} to physical. */
>>> + if ((addr & 0xc000000000000000ull) == 0x8000000000000000ull)
>>> + addr &= 0x07ffffffffffffffull; /* Convert XKPHYS to pysical */
>>> +
>>> + host_addr = guest_flat_to_host(vcpu->kvm, addr);
>>> + if (!host_addr) {
>>> + pr_warning("hypercall_write_cons unmapped physaddr %llx", (unsigned long long)addr);
>>> + return false;
>>> + }
>>> +
>>> + term_putc(host_addr, len, term);
>>
>> Does len need to be range checked?
>
> len <= 0 is checked above.
> I don't think an upper boundery check is required.
> term_putc (using write) should be able to handle it.
> No?
Well it looks to me from my naive look at the code (my experience with
tools/kvm/ is pretty much just reading some of the code after looking at
this patchset) like the guest could provide a very large positive len
argument and overflow the host_addr of the memory bank, possibly reading
into other userspace memory which would then get written to the console.
Yes, if it's unmapped the kernel will detect it so it's not so bad (no
seg faults). I guess it all depends how any memory that is passed to
kvm__register_mem was allocated. mmap_anon_or_hugetlbfs may use mmap
which leaves the possibility open of another virtual mapping being
created immediately after it.
AFAICT the best way to avoid that is probably to somehow extend
guest_flat_to_host to provide the address limit too so the provided
length can be checked/clipped, or maybe call it for the end address too
to check the full range is valid and belongs to the same mapping,
although that's a bit more of a hack and technically isn't watertight!
Maybe I'm being paranoid though :)
Cheers
James
WARNING: multiple messages have this Message-ID (diff)
From: James Hogan <james.hogan@imgtec.com>
To: Andreas Herrmann <herrmann.der.user@googlemail.com>
Cc: Andreas Herrmann <andreas.herrmann@caviumnetworks.com>,
Pekka Enberg <penberg@kernel.org>,
David Daney <ddaney.cavm@gmail.com>,
kvm@vger.kernel.org, linux-mips@linux-mips.org,
David Daney <david.daney@cavium.com>
Subject: Re: [PATCH 05/11] kvm tools, mips: Add MIPS support
Date: Mon, 12 May 2014 15:09:58 +0100 [thread overview]
Message-ID: <5370D636.3020903@imgtec.com> (raw)
Message-ID: <20140512140958.fqMzDAjWLgeqU2GPrM7XeUuqrLtEEdMXI8LRwOKoMuI@z> (raw)
In-Reply-To: <20140512130110.GA17255@alberich>
Hi Andreas,
On 12/05/14 14:01, Andreas Herrmann wrote:
> On Fri, May 09, 2014 at 10:15:29PM +0100, James Hogan wrote:
>> On 06/05/14 16:51, Andreas Herrmann wrote:
>>> +static bool kvm_cpu__hypercall_write_cons(struct kvm_cpu *vcpu)
>>> +{
>>> + int term = (int)vcpu->kvm_run->hypercall.args[0];
>>> + u64 addr = vcpu->kvm_run->hypercall.args[1];
>>> + int len = (int)vcpu->kvm_run->hypercall.args[2];
>>> + char *host_addr;
>>> +
>>> + if (term < 0 || term >= TERM_MAX_DEVS) {
>>> + pr_warning("hypercall_write_cons term out of range <%d>", term);
>>> + return false;
>>> + }
>>> + if (len <= 0) {
>>> + pr_warning("hypercall_write_cons len out of range <%d>", len);
>>> + return false;
>>> + }
>>> +
>>> + if ((addr & 0xffffffffc0000000ull) == 0xffffffff80000000ull)
>>> + addr &= 0x1ffffffful; /* Convert KSEG{0,1} to physical. */
>>> + if ((addr & 0xc000000000000000ull) == 0x8000000000000000ull)
>>> + addr &= 0x07ffffffffffffffull; /* Convert XKPHYS to pysical */
>>> +
>>> + host_addr = guest_flat_to_host(vcpu->kvm, addr);
>>> + if (!host_addr) {
>>> + pr_warning("hypercall_write_cons unmapped physaddr %llx", (unsigned long long)addr);
>>> + return false;
>>> + }
>>> +
>>> + term_putc(host_addr, len, term);
>>
>> Does len need to be range checked?
>
> len <= 0 is checked above.
> I don't think an upper boundery check is required.
> term_putc (using write) should be able to handle it.
> No?
Well it looks to me from my naive look at the code (my experience with
tools/kvm/ is pretty much just reading some of the code after looking at
this patchset) like the guest could provide a very large positive len
argument and overflow the host_addr of the memory bank, possibly reading
into other userspace memory which would then get written to the console.
Yes, if it's unmapped the kernel will detect it so it's not so bad (no
seg faults). I guess it all depends how any memory that is passed to
kvm__register_mem was allocated. mmap_anon_or_hugetlbfs may use mmap
which leaves the possibility open of another virtual mapping being
created immediately after it.
AFAICT the best way to avoid that is probably to somehow extend
guest_flat_to_host to provide the address limit too so the provided
length can be checked/clipped, or maybe call it for the end address too
to check the full range is valid and belongs to the same mapping,
although that's a bit more of a hack and technically isn't watertight!
Maybe I'm being paranoid though :)
Cheers
James
next prev parent reply other threads:[~2014-05-12 14:10 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-06 15:51 [PATCH 00/11] kvm tools: Misc patches (mips support) Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 01/11] kvm tools: Print message on failure of KVM_CREATE_VM Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 02/11] kvm tools: Fix print format warnings Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 03/11] kvm tools: Move definition of TERM_MAX_DEVS to header Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 04/11] kvm tools: Allow to load ELF binary Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 05/11] kvm tools, mips: Add MIPS support Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-09 21:15 ` James Hogan
2014-05-09 21:15 ` James Hogan
2014-05-12 13:01 ` Andreas Herrmann
2014-05-12 14:09 ` James Hogan [this message]
2014-05-12 14:09 ` James Hogan
2014-05-19 13:37 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 06/11] kvm tools, mips: Enable build of mips support Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-09 21:22 ` James Hogan
2014-05-09 21:22 ` James Hogan
2014-05-12 10:46 ` Andreas Herrmann
2014-05-12 10:46 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 07/11] kvm tools: Provide per arch macro to specify type for KVM_CREATE_VM Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-09 21:34 ` James Hogan
2014-05-09 21:34 ` James Hogan
2014-05-12 10:46 ` Andreas Herrmann
2014-05-12 10:46 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 08/11] kvm tools: Handle virtio/pci I/O space as little endian Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 09/11] kvm tools, mips: Add support for loading elf binaries Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 10/11] kvm tools: Introduce weak (default) load_bzimage function Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-09 21:44 ` James Hogan
2014-05-09 21:44 ` James Hogan
2014-05-12 10:47 ` Andreas Herrmann
2014-05-12 10:47 ` Andreas Herrmann
2014-05-06 15:51 ` [PATCH 11/11] kvm tools: Modify term_putc to write more than one char Andreas Herrmann
2014-05-06 15:51 ` Andreas Herrmann
2014-05-07 15:58 ` Sergei Shtylyov
2014-05-12 11:21 ` Andreas Herrmann
2014-05-12 11:21 ` Andreas Herrmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5370D636.3020903@imgtec.com \
--to=james.hogan@imgtec.com \
--cc=andreas.herrmann@caviumnetworks.com \
--cc=david.daney@cavium.com \
--cc=ddaney.cavm@gmail.com \
--cc=herrmann.der.user@googlemail.com \
--cc=kvm@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=penberg@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.