All of lore.kernel.org
 help / color / mirror / Atom feed
From: Carlos Bilbao <carlos.bilbao.osdev@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
	"David Hildenbrand (Arm)" <david@kernel.org>,
	"Hari Mishal" <harimishal1@gmail.com>,
	"Jason Wang" <jasowangio@gmail.com>,
	"Xuan Zhuo" <xuanzhuo@linux.alibaba.com>,
	"Eugenio Pérez" <eperezma@redhat.com>,
	virtualization@lists.linux.dev, linux-kernel@vger.kernel.org,
	elena.reshetova@intel.com, huster@cs.uni-goettingen.de,
	mhollick@seemoo.de, jiska.classen@hpi.de
Subject: Re: [PATCH v2 1/4] virtio-mem: validate device-reported block size
Date: Sat, 18 Jul 2026 10:07:30 -0700	[thread overview]
Message-ID: <ae5bc86b-cb8d-4530-9e58-d285007deac0@gmail.com> (raw)
In-Reply-To: <2026071803-passage-dares-8240@gregkh>

On 7/17/26 22:29, Greg Kroah-Hartman wrote:

> On Fri, Jul 17, 2026 at 08:31:09PM -0700, Carlos Bilbao wrote:
>> Historically, one of the biggest criticisms of coco, especially around
>> device hardening, was that there were too many values that a
>> malicious/buggy device could misreport, making it a losing battle. That is
>> no longer the case with LLMs, and we have the advantage (and challenge) of
>> open-source dev, which allows us to receive many of these fixes "for free".
>> If others want to burn their tokens, let them :)
> I have lots of tokens to burn :)
>
> So along those lines, any suggestions on how best to fuzz these code
> paths?  Any workloads you all use for testing that I can take advantage
> of?


We've the virtio-mem config struct layout and the kernel source, so for
obvious fixes like a NULL check, static analysis is better than fuzzing.
Claude took a few mins to find me two examples:

Patch 1: virtio-mem: reject non-power-of-two device_block_size
This one is for virtio_mem_init() to check if
!is_power_of_2(vm->device_block_size)

Patch 2: virto-mem: validate region_size and usable_region_size
THis one checks region_size != 0 and vm->usable_reion_size >
vm->region_size.

An endless factory of "silly" checks like these are low hanging fruit.

Now, for harder bugs, looking around for fuzz options, VirtFuzz [1] looks
like a great candidate for those interested in pursuing this direction.


Their PoC fuzzes wireless/Bluetooth stack, but nothing our AI overlords
can't quickly adapt for virtio-mem and other virtio drivers; the JSON
definition to describe device behavior is easily extensible. Their threat
model [2] describes an external attacker, but in the context of coco, the
virtio device itself is the attacker. Here's a vibe coded PR of what I mean:

https://github.com/seemoo-lab/VirtFuzz/pull/7

CCed the creators/authors, thanks for open sourcing this!

Thanks,
Carlos

[1] https://github.com/seemoo-lab/VirtFuzz

On 7/17/26 22:29, Greg Kroah-Hartman wrote:

> On Fri, Jul 17, 2026 at 08:31:09PM -0700, Carlos Bilbao wrote:
>> Historically, one of the biggest criticisms of coco, especially around
>> device hardening, was that there were too many values that a
>> malicious/buggy device could misreport, making it a losing battle. That is
>> no longer the case with LLMs, and we have the advantage (and challenge) of
>> open-source dev, which allows us to receive many of these fixes "for free".
>> If others want to burn their tokens, let them :)
> I have lots of tokens to burn :)
>
> So along those lines, any suggestions on how best to fuzz these code
> paths?  Any workloads you all use for testing that I can take advantage
> of?


We've the virto-mem config struct layout and the kernel source, so for
obvious fixes like a NULL check, static analysis is better than fuzzing.
Claude took a few mins to find me two examples:

Patch 1: virtio-mem: reject non-power-of-two device_block_size
This one is for virtio_mem_init() to check if
!is_power_of_2(vm->device_block_size)

Patch 2: virto-mem: validate region_size and usable_region_size
THis one checks region_size != 0 and vm->usable_reion_size >
vm->region_size.

An endless factory of "silly" checks like these are low hanging fruit.

Now, for harder bugs, looking around for fuzz options, VirtFuzz [1] looks
like a great candidate for those interested in pursuing this direction.


Their PoC fuzzes wireless/Bluetooth stack, but nothing our AI overlords
can't quickly adapt for virtio-mem and other virtio drivers; the JSON
definition to describe device behavior is easily extensible. Their threat
model [2] describes an external attacker, but in the context of coco, the
virtio device itself is the attacker. Here's a vibe coded PR of what I mean:

https://github.com/seemoo-lab/VirtFuzz/pull/7

CCed the creators/authors, thanks for open sourcing this!

Thanks,
Carlos

[1] https://github.com/seemoo-lab/VirtFuzz
[2] 
https://www.computer.org/csdl/proceedings-article/sp/2024/313000a024/1RjEa0y9RMQ


> thanks,
>
> greg k-h

[2] 
https://www.computer.org/csdl/proceedings-article/sp/2024/313000a024/1RjEa0y9RMQ


>
> thanks,
>
> greg k-h

  reply	other threads:[~2026-07-18 17:07 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-15 14:22 [PATCH 0/4] virtio: validate device-reported values across drivers Hari Mishal
2026-07-15 14:22 ` [PATCH 1/4] virtio-mem: validate device-reported block size Hari Mishal
2026-07-15 14:43   ` sashiko-bot
2026-07-15 15:57   ` Michael S. Tsirkin
2026-07-15 16:41   ` [PATCH v2 " Hari Mishal
2026-07-16  8:55     ` David Hildenbrand (Arm)
2026-07-16 14:18       ` Greg Kroah-Hartman
2026-07-16 15:59         ` David Hildenbrand (Arm)
2026-07-17  5:03           ` Greg Kroah-Hartman
2026-07-17  5:48           ` Michael S. Tsirkin
2026-07-17  8:39             ` David Hildenbrand (Arm)
2026-07-17  8:59               ` Michael S. Tsirkin
2026-07-17  9:14                 ` Greg Kroah-Hartman
2026-07-17 10:10                   ` Michael S. Tsirkin
2026-07-17 10:15                     ` Greg Kroah-Hartman
2026-07-17 10:21                       ` David Hildenbrand (Arm)
2026-07-17 10:28                         ` Michael S. Tsirkin
2026-07-17 10:44                         ` Greg Kroah-Hartman
2026-07-17 11:00                           ` David Hildenbrand (Arm)
2026-07-17 10:23                       ` Michael S. Tsirkin
2026-07-17 10:46                         ` Greg Kroah-Hartman
2026-07-17 10:52                           ` Michael S. Tsirkin
2026-07-17 12:07                             ` Greg Kroah-Hartman
2026-07-17 13:08                               ` Michael S. Tsirkin
2026-07-17 14:31                                 ` Greg Kroah-Hartman
2026-07-17 15:27                                   ` Michael Kelley
2026-07-17 16:28                                   ` Michael S. Tsirkin
2026-07-17 16:30                                     ` Michael S. Tsirkin
2026-07-18  3:31                                 ` Carlos Bilbao
2026-07-18  5:29                                   ` Greg Kroah-Hartman
2026-07-18 17:07                                     ` Carlos Bilbao [this message]
2026-07-18 17:21                                       ` Michael S. Tsirkin
2026-07-18 17:41                                         ` Carlos Bilbao
2026-07-15 14:22 ` [PATCH 2/4] virtio_input: validate device-reported multitouch slot count Hari Mishal
2026-07-15 14:35   ` sashiko-bot
2026-07-15 15:50   ` Michael S. Tsirkin
2026-07-15 16:07     ` Hari Mishal
2026-07-15 16:11       ` Michael S. Tsirkin
2026-07-15 18:25         ` Dmitry Torokhov
     [not found]           ` <CAMmC+=DXS=xs0CZyf+N-71NT8D51xQYatBv=dfVQC1aBohDdmA@mail.gmail.com>
     [not found]             ` <alkTnRb9qhgcMGGi@google.com>
2026-07-16 17:33               ` Dmitry Torokhov
2026-07-15 16:41   ` [PATCH v2 " Hari Mishal
2026-07-15 14:22 ` [PATCH 3/4] virtio_console: avoid NULL portdev dereference in in_intr() Hari Mishal
2026-07-15 14:37   ` sashiko-bot
2026-07-15 14:22 ` [PATCH 4/4] virtio_console: take a kref in find_port_by_vq() to fix port UAF Hari Mishal
2026-07-15 14:38   ` sashiko-bot
2026-07-15 14:42   ` [PATCH v2 " Hari Mishal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ae5bc86b-cb8d-4530-9e58-d285007deac0@gmail.com \
    --to=carlos.bilbao.osdev@gmail.com \
    --cc=david@kernel.org \
    --cc=elena.reshetova@intel.com \
    --cc=eperezma@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=harimishal1@gmail.com \
    --cc=huster@cs.uni-goettingen.de \
    --cc=jasowangio@gmail.com \
    --cc=jiska.classen@hpi.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhollick@seemoo.de \
    --cc=mst@redhat.com \
    --cc=virtualization@lists.linux.dev \
    --cc=xuanzhuo@linux.alibaba.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.