From: Martin Radev <martin.b.radev@gmail.com>
To: kvm@vger.kernel.org
Cc: will@kernel.org, julien.thierry.kdev@gmail.com,
Martin Radev <martin.b.radev@gmail.com>
Subject: [PATCH kvmtool 0/5] kvmtool: Fix few found bugs
Date: Tue, 18 Jan 2022 00:11:58 +0200 [thread overview]
Message-ID: <cover.1642457047.git.martin.b.radev@gmail.com> (raw)
In December, we hosted a CTF where one of the challenges was exploiting
any "0day" bug in kvmtool [1]. Eight teams managed to find a bug and
exploit it in less than 36 hours. Write-ups for exploits are available
by HXP [2] and kalmarunionen [3].
Now, I'm aware that kvmtool is mostly used for KVM testing and KVM bring-up
in simulation environments. But since it does get mentioned in some security-
related projects [4, 5] and has a sandboxing feature, maybe it makes sense
to fix these bugs.
Could you please check if these patches make sense?
I have not verified that these patches do not break something for these virtio
drivers.
Kind regards,
Martin
[1]: https://2021.ctf.link/internal/challenge/dd0e8826-c970-4fde-8eeb-41a9d8a86b67/
[2]: https://hxp.io/blog/87/hxp-CTF-2021-indie_vmm-writeup/
[3]: https://www.kalmarunionen.dk/writeups/2021/hxp-2021/lkvm/
[4]: https://blog.quarkslab.com/no-tears-no-fears.html
[5]: https://fly.io/blog/sandboxing-and-workload-isolation/
Martin Radev (5):
virtio: Sanitize config accesses
virtio: Check for overflows in QUEUE_NOTIFY and QUEUE_SEL
virtio/net: Warn if virtio_net is implicitly enabled
Makefile: Mark stack as not executable
mmio: Sanitize addr and len
Makefile | 7 +++++--
include/kvm/virtio-9p.h | 1 +
include/kvm/virtio.h | 3 ++-
mmio.c | 4 ++++
virtio/9p.c | 21 ++++++++++++++++----
virtio/balloon.c | 8 +++++++-
virtio/blk.c | 8 +++++++-
virtio/console.c | 8 +++++++-
virtio/mmio.c | 44 ++++++++++++++++++++++++++++++++++-------
virtio/net.c | 11 ++++++++++-
virtio/pci.c | 40 +++++++++++++++++++++++++++++++++----
virtio/rng.c | 8 +++++++-
virtio/scsi.c | 8 +++++++-
virtio/vsock.c | 8 +++++++-
14 files changed, 154 insertions(+), 25 deletions(-)
--
2.25.1
next reply other threads:[~2022-01-17 22:12 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-17 22:11 Martin Radev [this message]
2022-01-17 22:11 ` [PATCH kvmtool 1/5] virtio: Sanitize config accesses Martin Radev
2022-02-01 14:55 ` Andre Przywara
2022-02-01 15:27 ` Alexandru Elisei
2022-01-17 22:12 ` [PATCH kvmtool 2/5] virtio: Check for overflows in QUEUE_NOTIFY and QUEUE_SEL Martin Radev
2022-02-01 14:57 ` Andre Przywara
2022-02-01 15:28 ` Alexandru Elisei
2022-01-17 22:12 ` [PATCH kvmtool 3/5] virtio/net: Warn if virtio_net is implicitly enabled Martin Radev
2022-02-01 14:57 ` Andre Przywara
2022-02-01 15:31 ` Alexandru Elisei
2022-01-17 22:12 ` [PATCH kvmtool 4/5] Makefile: Mark stack as not executable Martin Radev
2022-02-01 15:01 ` Andre Przywara
2022-02-01 15:33 ` Alexandru Elisei
2022-01-17 22:12 ` [PATCH kvmtool 5/5] mmio: Sanitize addr and len Martin Radev
2022-02-01 15:34 ` Alexandru Elisei
2022-02-01 15:52 ` Andre Przywara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1642457047.git.martin.b.radev@gmail.com \
--to=martin.b.radev@gmail.com \
--cc=julien.thierry.kdev@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.