From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
To: "Michael S. Tsirkin" <mst@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: jasowang@redhat.com, virtualization@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, elena.reshetova@intel.com,
kirill.shutemov@linux.intel.com, Amit Shah <amit@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
alexander.shishkin@linux.intel.com
Subject: Re: [PATCH v1 4/6] virtio console: Harden control message handling
Date: Fri, 20 Jan 2023 18:41:27 +0200 [thread overview]
Message-ID: <87y1pxp39k.fsf@ubik.fi.intel.com> (raw)
In-Reply-To: <20230120074120-mutt-send-email-mst@kernel.org>
"Michael S. Tsirkin" <mst@redhat.com> writes:
> On Thu, Jan 19, 2023 at 04:22:09PM +0100, Greg Kroah-Hartman wrote:
>> On Thu, Jan 19, 2023 at 03:57:19PM +0200, Alexander Shishkin wrote:
>> > In handle_control_message(), we look at the ->event field twice, which
>> > gives a malicious VMM a window in which to switch it from PORT_ADD to
>> > PORT_REMOVE, triggering a null dereference further down the line:
>>
>> How is the other VMM have full control over the full message here?
>> Shouldn't this all have been copied into our local memory if we are
>> going to be poking around in it? Like I mentioned in my other review,
>> copy it all once and then parse it. Don't try to mess with individual
>> fields one at a time otherwise that way lies madness...
>>
>> thanks,
>>
>> greg k-h
>
> I agree and in fact, it is *already* copied since with malicious
> device we generally use a bounce buffer.
Right, but the code should probably be able to handle bad input on its
own, or what do you think?
> Having said that, the patch is actually a cleanup, e.g. it's clearer
> to byte-swap only once.
> Just don't oversell it as a security thing.
Well, security was the original motivation, so that's what it said in
the commit message. But we settled on [0] yesterday with Greg, which
would replace this patch and 2/6.
[0] https://lore.kernel.org/all/87a62eqo4h.fsf@ubik.fi.intel.com/
Regards,
--
Alex
next prev parent reply other threads:[~2023-01-20 16:41 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-19 13:57 [PATCH v1 0/6] Harden a few virtio bits Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 1/6] virtio console: Harden multiport against invalid host input Alexander Shishkin
2023-01-19 15:17 ` Greg Kroah-Hartman
2023-01-19 15:17 ` Greg Kroah-Hartman
2023-01-19 18:52 ` Alexander Shishkin
2023-01-19 19:18 ` Greg Kroah-Hartman
2023-01-19 19:18 ` Greg Kroah-Hartman
2023-01-19 19:34 ` Alexander Shishkin
2023-01-20 13:01 ` Michael S. Tsirkin
2023-01-20 13:01 ` Michael S. Tsirkin
2023-01-20 15:51 ` Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 2/6] virtio console: Harden port adding Alexander Shishkin
2023-01-19 15:20 ` Greg Kroah-Hartman
2023-01-19 15:20 ` Greg Kroah-Hartman
2023-01-19 17:48 ` Alexander Shishkin
2023-01-19 18:57 ` Greg Kroah-Hartman
2023-01-19 18:57 ` Greg Kroah-Hartman
2023-01-19 20:13 ` Alexander Shishkin
2023-01-20 7:15 ` Greg Kroah-Hartman
2023-01-20 7:15 ` Greg Kroah-Hartman
2023-01-27 11:02 ` Michael S. Tsirkin
2023-01-27 11:02 ` Michael S. Tsirkin
2023-01-27 11:55 ` Alexander Shishkin
2023-01-27 12:12 ` Michael S. Tsirkin
2023-01-27 12:12 ` Michael S. Tsirkin
2023-01-27 12:47 ` Alexander Shishkin
2023-01-27 13:31 ` Greg Kroah-Hartman
2023-01-27 13:31 ` Greg Kroah-Hartman
2023-01-27 14:17 ` Alexander Shishkin
2023-01-27 14:37 ` Greg Kroah-Hartman
2023-01-27 14:37 ` Greg Kroah-Hartman
2023-01-27 14:46 ` Michael S. Tsirkin
2023-01-27 14:46 ` Michael S. Tsirkin
2023-02-02 12:02 ` Reshetova, Elena
2023-01-27 13:52 ` Michael S. Tsirkin
2023-01-27 13:52 ` Michael S. Tsirkin
2023-01-20 12:59 ` Michael S. Tsirkin
2023-01-20 12:59 ` Michael S. Tsirkin
2023-01-19 13:57 ` [PATCH v1 3/6] virtio 9p: Fix an overflow Alexander Shishkin
2023-01-20 12:54 ` Michael S. Tsirkin
2023-01-20 12:54 ` Michael S. Tsirkin
2023-01-20 16:29 ` Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 4/6] virtio console: Harden control message handling Alexander Shishkin
2023-01-19 15:22 ` Greg Kroah-Hartman
2023-01-19 15:22 ` Greg Kroah-Hartman
2023-01-20 12:45 ` Michael S. Tsirkin
2023-01-20 12:45 ` Michael S. Tsirkin
2023-01-20 16:41 ` Alexander Shishkin [this message]
2023-01-27 10:58 ` Michael S. Tsirkin
2023-01-27 10:58 ` Michael S. Tsirkin
2023-01-27 12:04 ` Alexander Shishkin
2023-01-19 13:57 ` [PATCH v1 5/6] virtio_net: Guard against buffer length overflow in xdp_linearize_page() Alexander Shishkin
2023-01-20 13:09 ` Michael S. Tsirkin
2023-01-20 13:09 ` Michael S. Tsirkin
2023-01-19 13:57 ` [PATCH v1 6/6] virtio_ring: Prevent bounds check bypass on descriptor index Alexander Shishkin
2023-01-20 12:56 ` Michael S. Tsirkin
2023-01-20 12:56 ` Michael S. Tsirkin
2023-01-20 11:55 ` [PATCH v1 0/6] Harden a few virtio bits Michael S. Tsirkin
2023-01-20 11:55 ` Michael S. Tsirkin
2023-01-20 12:32 ` Alexander Shishkin
2023-01-20 12:40 ` Michael S. Tsirkin
2023-01-20 12:40 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y1pxp39k.fsf@ubik.fi.intel.com \
--to=alexander.shishkin@linux.intel.com \
--cc=amit@kernel.org \
--cc=arnd@arndb.de \
--cc=elena.reshetova@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jasowang@redhat.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.