From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF2E529BD95 for ; Sat, 18 Apr 2026 17:39:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776533947; cv=none; b=brTk7OCiaT+vFJoNnQRIGrsc8Fvy9NKNI52JJrteZFqOT+nUVXSorwCNWJsdrvDA1+4iYZUSk7mhdBNoj6xHW9iJulsZvVJJyK7kyOy3BydUgApQO/K68nBFdgVaYqgVhgFHGoqdN3UuB/wjZ/b1eFvgGAJIy1Ee+rtS/ZnJx9A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776533947; c=relaxed/simple; bh=llDeGbmz2A+QdJNJmtoYg0HsCG5svSKrZtPZxGU6lYQ=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ncJr5EGR7zaGp6EKfaFA318lksEu28v4uQ0uePdfV6QnOcCVWpo3+RD73Qi8i9jSQW5CY30sy1ckwGRYHOvecGO+OwFtOuGbu6QE90DvmDaoUS6H0tdDmCZn/BlemgrOJ138YZukFfa6LyogFipmvErT1CtkDJzLKtIWc74ZkmQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Cgam7ewV; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b=s9j+z5cB; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Cgam7ewV"; dkim=pass (2048-bit key) header.d=redhat.com header.i=@redhat.com header.b="s9j+z5cB" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1776533943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9iy6MKv1dqfzDMGfIVAIu1M4pOZDOIff+mEjmJN5Vsc=; b=Cgam7ewV7/4TZSIUTFbxnFEEE8akB7QWdOmyMq/Z3P/nqJSribkR173DaK/QK0eAsdLX0Y 52S2ZqDKLfCM8I0uy2mGNmF+08BsZ/f06opAUrD4LJVOTfPGy9argT03j2KuZgGa6MMzSu G0QRpoFnBG3j2i7zJBfFmkE9ynW2+A0= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-655-yYA0jhJnPou9Po3jdUTjFA-1; Sat, 18 Apr 2026 13:39:02 -0400 X-MC-Unique: yYA0jhJnPou9Po3jdUTjFA-1 X-Mimecast-MFC-AGG-ID: yYA0jhJnPou9Po3jdUTjFA_1776533941 Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-43efc93e4f6so1347601f8f.3 for ; Sat, 18 Apr 2026 10:39:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=google; t=1776533941; x=1777138741; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=9iy6MKv1dqfzDMGfIVAIu1M4pOZDOIff+mEjmJN5Vsc=; b=s9j+z5cBcq1wRP8xDt05qX+6hZj2Qns7kkA6wFz1iZLkBrifZHkhBsdaC9upyXnEEo nd0v2jt4okpXcG3P3gvhs2PWiEDUj5/eh2OnHFc7+Fyg+7w7mamWXJt7FI4tFVKAX5dL dKUBlGPL3BUFYl8m2aGVnsxKR3FyVVKrAZPpUmbiVJIhqyM6SIjxua5s56CUz9PN4llF td3u82/ZrrAeHXgQ4s/6WJ3zDUvRHDshK79IpcQB3P6GNl391j/mKQdQ8xe4wLVHry/w d4wgGnv3xyLjFHPd68zsK013vX8X13QR5DeAOObKaOZbqPUhK68Kad9ifl1FM8Y7t9l/ CgqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776533941; x=1777138741; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=9iy6MKv1dqfzDMGfIVAIu1M4pOZDOIff+mEjmJN5Vsc=; b=EfGOjC7ISIA+6l3+hyXXM3elzpSrQssmzOK29eKRY3oBa5vXR1LvmYE+LTLl4hP4sw oRc8WhfHh5jx6fcFAqT1n4D4NVREJ0HWNmVdvDbHVWLZf6ftWqT48lDi/jM6b81/IMV3 xYVik18PymtLDvmAfKQGApTxogbFGdys23v1GwGXE7N4+UQfGu+CHM/MN4PMDmoX/+TH c5jnh/PU/YBCT+B86+oMWxp9LdCvPmam2gvlCzdsfTQk2RQzNFbyW1uDelcWMAo9d5po kicBXXc4toecRb8FRgcRvnu1X87RbvHYj8MQ9Lsp3w0Zlsz+BC6CLENzhbgSAV2YBYZX gGiQ== X-Forwarded-Encrypted: i=1; AFNElJ/xSYH6CO5mKKiciyX+9cCe8dHW90WWD7UtkhduxkLDCCS9vj8tFj0CZAVGcwqG7gttbckPtxI8UeIJ37I=@vger.kernel.org X-Gm-Message-State: AOJu0YycODoa4secmDJuiEV7Zwxn0ZlZjPwdivRzCM6jGJdoO8YN4EKL 3OzERtxsaUjrxVn8zrcW6ZlUvVTtzPCh6F7EZ1z1+oU0KIXcnrG9IS4JBPaRTlUzzEKI+fqrUpj Jq6ITsSM5yDhLm1bx20/SYBeyhimmjVc/wG/NbqjByIEWxrrR4P6xAZ0QCDAia35/qQ== X-Gm-Gg: AeBDies4U35HLSgck0m6OCyHo+g1VxkNJ9ISnyx8EGmUekNiMMtF8Kj4RSezRCPeEEv QKhpjtOKLugUy9/3bw4IAHeRDps6SdBCX1r339L7vsDGpuGDl5xMVD4qiqxVZOrWfnv5D3jLBCS 4enfthJTO3hWxi0frKDP0RzCLyxlUuMq1wGvHgye+QiIk9yhbrtwmZZOKvbvvyRUj3DzAj6KRnA LctYdp1Eqxp4p+hOybxyhc0s+yP6oFtmmLuGlGQ70j4SPukWbrsTq8X1hKPMMXe0Os+Obi5MP4C vVs8Kcxp6IHimykdSJEqJAEofr0gys8KQaCSikvLz824FefxfUH+W8AQb/4rK87A625iZhfPrAB 0kA03x7aOAeH4iDP97xxTkiY3dHE/TsWQ2vMvGdGwRXlvIf0vNPCk2g== X-Received: by 2002:a05:600c:c4a2:b0:488:c078:bfda with SMTP id 5b1f17b1804b1-488fb78eebdmr104609995e9.26.1776533940868; Sat, 18 Apr 2026 10:39:00 -0700 (PDT) X-Received: by 2002:a05:600c:c4a2:b0:488:c078:bfda with SMTP id 5b1f17b1804b1-488fb78eebdmr104609765e9.26.1776533940363; Sat, 18 Apr 2026 10:39:00 -0700 (PDT) Received: from redhat.com (IGLD-80-230-25-21.inter.net.il. [80.230.25.21]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488fc13938fsm213361595e9.10.2026.04.18.10.38.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 18 Apr 2026 10:38:59 -0700 (PDT) Date: Sat, 18 Apr 2026 13:38:57 -0400 From: "Michael S. Tsirkin" To: Michael Bommarito Cc: Olivia Mackall , Herbert Xu , linux-crypto@vger.kernel.org, Jason Wang , virtualization@lists.linux.dev, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] hwrng: virtio: clamp device-reported used.len at copy_data() Message-ID: <20260418133030-mutt-send-email-mst@kernel.org> References: <20260418000020.1847122-1-michael.bommarito@gmail.com> <20260418150613.3522589-1-michael.bommarito@gmail.com> <20260418131110-mutt-send-email-mst@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Sat, Apr 18, 2026 at 01:25:35PM -0400, Michael Bommarito wrote: > I think the difference comes back to how much you care about the > threat model and something like Spectre on the memcpy later in > copy_data. Maybe we do I'm just not sure I understand how do all these checks help, and for what threat. It could be just me being dense. The commit log merely describes use.len being OOB and also mentions data_idx. Requests are always for sizeof(vi->data) and they reset data_idx to 0: static void request_entropy(struct virtrng_info *vi) { struct scatterlist sg; reinit_completion(&vi->have_data); vi->data_idx = 0; sg_init_one(&sg, vi->data, sizeof(vi->data)); /* There should always be room for one buffer. */ virtqueue_add_inbuf(vi->vq, &sg, 1, vi->data, GFP_KERNEL); virtqueue_kick(vi->vq); } so to me, it looks like clamping that at sizeof(vi->data) addresses that. is there another threat you are worried about then? > The more verbose patch would keep the barrier at the cost > of the code complexity and a few extra cycles, but then we're back to > same tradeoffs that have haunted just about everyone. > > Will obviously defer to you on which path is really preferred, so let > me know if you want v3 with the simple nospec clamp. > > Thanks, > Michael Bommarito > > On Sat, Apr 18, 2026 at 1:18 PM Michael S. Tsirkin wrote: > > > > On Sat, Apr 18, 2026 at 11:06:13AM -0400, Michael Bommarito wrote: > > > random_recv_done() stores the device-reported used.len directly into > > > vi->data_avail. copy_data() then indexes vi->data[] using > > > vi->data_idx (advanced by previous copy_data() calls) and issues a > > > memcpy() without re-validating either value against the posted > > > buffer size sizeof(vi->data) (SMP_CACHE_BYTES bytes, typically 32 > > > or 64). > > > > > > A malicious or buggy virtio-rng backend can set used.len beyond > > > sizeof(vi->data), steering the memcpy() past the end of the inline > > > array into adjacent kmalloc-1k slab bytes. hwrng_fillfn() mixes > > > those bytes into the guest RNG, and guest root can also observe > > > them directly via /dev/hwrng. > > > > > > Concrete impact is inside the guest: > > > > > > - Memory-safety / hardening: any virtio-rng backend that > > > over-reports used.len causes the driver to read past vi->data > > > into unrelated slab contents. hwrng_fillfn() is a kernel thread > > > that runs as soon as the device is probed; no guest userspace > > > interaction is required to first-trigger the OOB. > > > > > > - Cross-boundary leak (confidential-compute threat model): a > > > malicious hypervisor cooperating with a malicious or compromised > > > guest root userspace can use /dev/hwrng as a leak channel for > > > guest-kernel heap data. The host sets a large used.len, guest > > > root reads /dev/hwrng, and the returned bytes contain guest > > > kernel slab contents that were adjacent to vi->data. In > > > practice, confidential-compute guests (SEV-SNP, TDX) usually > > > disable virtio-rng entirely, so this path is narrow, but the > > > fix is still worth carrying because the underlying > > > memory-safety bug contaminates the guest RNG on any host. > > > > > > KASAN confirms the OOB on a guest booted under a QEMU 9.0 whose > > > virtio-rng backend has been patched to report used.len = 0x10000: > > > > > > BUG: KASAN: slab-out-of-bounds in virtio_read+0x394/0x5d0 > > > Read of size 64 at addr ffff8880089c2220 by task hwrng/52 > > > Call Trace: > > > __asan_memcpy > > > virtio_read+0x394/0x5d0 > > > hwrng_fillfn+0xb2/0x470 > > > kthread > > > Allocated by task 1: > > > probe_common+0xa5/0x660 > > > virtio_dev_probe+0x549/0xbc0 > > > The buggy address belongs to the object at ffff8880089c2000 > > > which belongs to the cache kmalloc-1k of size 1024 > > > The buggy address is located 0 bytes to the right of > > > allocated 544-byte region [ffff8880089c2000, ffff8880089c2220) > > > > > > Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer > > > overflow in USB transport layer"), which hardened > > > usb9pfs_rx_complete() against unchecked device-reported length in > > > the USB 9p transport. > > > > > > With the clamp at point of use and array_index_nospec() in place, > > > the same harness boots cleanly: copy_data() returns zero for the > > > bogus report, the device-supplied bytes after data_idx are > > > discarded, and the driver issues a fresh request. there should be --- here, btw. > > > Changes in v2 (per Michael S. Tsirkin review): > > > - move the bound check from random_recv_done() into copy_data(), > > > so the clamp sits immediately next to the memcpy it protects > > > - clamp to sizeof(vi->data) rather than substituting len = 0, so a > > > previously-working but buggy device that occasionally over-reports > > > used.len does not start returning zero-length reads > > > - add array_index_nospec() on vi->data_idx to defeat a speculative > > > out-of-bounds read given the malicious-backend threat model > > > - expand the commit message to describe the /dev/hwrng observation > > > path and the hypervisor + guest-root cooperation scenario > > > > > > Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.") > > > Cc: stable@vger.kernel.org > > > Suggested-by: Michael S. Tsirkin > > > Signed-off-by: Michael Bommarito > > > Assisted-by: Claude:claude-opus-4-7 > > > --- > > > drivers/char/hw_random/virtio-rng.c | 23 +++++++++++++++++++++-- > > > 1 file changed, 21 insertions(+), 2 deletions(-) > > > > > > diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c > > > index 0ce02d7e5048..5e83ffa105e4 100644 > > > --- a/drivers/char/hw_random/virtio-rng.c > > > +++ b/drivers/char/hw_random/virtio-rng.c > > > @@ -7,6 +7,7 @@ > > > #include > > > #include > > > #include > > > +#include > > > #include > > > #include > > > #include > > > @@ -69,8 +70,26 @@ static void request_entropy(struct virtrng_info *vi) > > > static unsigned int copy_data(struct virtrng_info *vi, void *buf, > > > unsigned int size) > > > { > > > - size = min_t(unsigned int, size, vi->data_avail); > > > - memcpy(buf, vi->data + vi->data_idx, size); > > > + unsigned int idx, avail; > > > + > > > + /* > > > + * vi->data_avail was set from the device-reported used.len and > > > + * vi->data_idx was advanced by previous copy_data() calls. A > > > + * malicious or buggy virtio-rng backend can drive either past > > > + * sizeof(vi->data). Clamp at point of use and harden the index > > > + * with array_index_nospec() so the memcpy() below cannot be > > > + * steered into adjacent slab memory, including under > > > + * speculation. > > > + */ > > > + avail = min_t(unsigned int, vi->data_avail, sizeof(vi->data)); > > > + if (vi->data_idx >= avail) { > > > + vi->data_avail = 0; > > > + request_entropy(vi); > > > + return 0; > > > + } > > > + size = min_t(unsigned int, size, avail - vi->data_idx); > > > + idx = array_index_nospec(vi->data_idx, sizeof(vi->data)); > > > + memcpy(buf, vi->data + idx, size); > > > vi->data_idx += size; > > > vi->data_avail -= size; > > > if (vi->data_avail == 0) > > > -- > > > > > > This came out quite complex. > > Tell me, will the following do the trick? > > > > > > diff --git a/drivers/char/hw_random/virtio-rng.c b/drivers/char/hw_random/virtio-rng.c > > index 0ce02d7e5048..e887a68cc151 100644 > > --- a/drivers/char/hw_random/virtio-rng.c > > +++ b/drivers/char/hw_random/virtio-rng.c > > @@ -47,6 +47,8 @@ static void random_recv_done(struct virtqueue *vq) > > if (!virtqueue_get_buf(vi->vq, &len)) > > return; > > > > + len = array_index_nospec(len, sizeof(vi->data)); > > + > > smp_store_release(&vi->data_avail, len); > > complete(&vi->have_data); > > } > > > > > > > > > 2.53.0 > >