From: Martin Radev <martin.b.radev@gmail.com>
To: kvm@vger.kernel.org
Cc: will@kernel.org, julien.thierry.kdev@gmail.com,
Martin Radev <martin.b.radev@gmail.com>
Subject: [PATCH kvmtool 0/5] kvmtool: Fix few found bugs
Date: Tue, 18 Jan 2022 00:11:58 +0200 [thread overview]
Message-ID: <cover.1642457047.git.martin.b.radev@gmail.com> (raw)
In December, we hosted a CTF where one of the challenges was exploiting
any "0day" bug in kvmtool [1]. Eight teams managed to find a bug and
exploit it in less than 36 hours. Write-ups for exploits are available
by HXP [2] and kalmarunionen [3].
Now, I'm aware that kvmtool is mostly used for KVM testing and KVM bring-up
in simulation environments. But since it does get mentioned in some security-
related projects [4, 5] and has a sandboxing feature, maybe it makes sense
to fix these bugs.
Could you please check if these patches make sense?
I have not verified that these patches do not break something for these virtio
drivers.
Kind regards,
Martin
[1]: https://2021.ctf.link/internal/challenge/dd0e8826-c970-4fde-8eeb-41a9d8a86b67/
[2]: https://hxp.io/blog/87/hxp-CTF-2021-indie_vmm-writeup/
[3]: https://www.kalmarunionen.dk/writeups/2021/hxp-2021/lkvm/
[4]: https://blog.quarkslab.com/no-tears-no-fears.html
[5]: https://fly.io/blog/sandboxing-and-workload-isolation/
Martin Radev (5):
virtio: Sanitize config accesses
virtio: Check for overflows in QUEUE_NOTIFY and QUEUE_SEL
virtio/net: Warn if virtio_net is implicitly enabled
Makefile: Mark stack as not executable
mmio: Sanitize addr and len
Makefile | 7 +++++--
include/kvm/virtio-9p.h | 1 +
include/kvm/virtio.h | 3 ++-
mmio.c | 4 ++++
virtio/9p.c | 21 ++++++++++++++++----
virtio/balloon.c | 8 +++++++-
virtio/blk.c | 8 +++++++-
virtio/console.c | 8 +++++++-
virtio/mmio.c | 44 ++++++++++++++++++++++++++++++++++-------
virtio/net.c | 11 ++++++++++-
virtio/pci.c | 40 +++++++++++++++++++++++++++++++++----
virtio/rng.c | 8 +++++++-
virtio/scsi.c | 8 +++++++-
virtio/vsock.c | 8 +++++++-
14 files changed, 154 insertions(+), 25 deletions(-)
--
2.25.1
next reply other threads:[~2022-01-17 22:12 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-17 22:11 Martin Radev [this message]
2022-01-17 22:11 ` [PATCH kvmtool 1/5] virtio: Sanitize config accesses Martin Radev
2022-02-01 14:55 ` Andre Przywara
2022-02-01 15:27 ` Alexandru Elisei
2022-01-17 22:12 ` [PATCH kvmtool 2/5] virtio: Check for overflows in QUEUE_NOTIFY and QUEUE_SEL Martin Radev
2022-02-01 14:57 ` Andre Przywara
2022-02-01 15:28 ` Alexandru Elisei
2022-01-17 22:12 ` [PATCH kvmtool 3/5] virtio/net: Warn if virtio_net is implicitly enabled Martin Radev
2022-02-01 14:57 ` Andre Przywara
2022-02-01 15:31 ` Alexandru Elisei
2022-01-17 22:12 ` [PATCH kvmtool 4/5] Makefile: Mark stack as not executable Martin Radev
2022-02-01 15:01 ` Andre Przywara
2022-02-01 15:33 ` Alexandru Elisei
2022-01-17 22:12 ` [PATCH kvmtool 5/5] mmio: Sanitize addr and len Martin Radev
2022-02-01 15:34 ` Alexandru Elisei
2022-02-01 15:52 ` Andre Przywara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1642457047.git.martin.b.radev@gmail.com \
--to=martin.b.radev@gmail.com \
--cc=julien.thierry.kdev@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox