From: Stefan Hajnoczi <stefanha@redhat.com>
To: Wei Wang <wei.w.wang@intel.com>
Cc: virtio-dev@lists.oasis-open.org, qemu-devel@nongnu.org,
mst@redhat.com, marcandre.lureau@redhat.com, jasowang@redhat.com,
pbonzini@redhat.com, jan.kiszka@siemens.com,
avi.cohen@huawei.com, zhiyong.yang@intel.com
Subject: Re: [Qemu-devel] [PATCH v3 4/7] vhost-pci-slave: add vhost-pci slave implementation
Date: Tue, 5 Dec 2017 15:56:01 +0000 [thread overview]
Message-ID: <20171205155601.GG31150@stefanha-x1.localdomain> (raw)
In-Reply-To: <1512444796-30615-5-git-send-email-wei.w.wang@intel.com>
[-- Attachment #1: Type: text/plain, Size: 2862 bytes --]
On Tue, Dec 05, 2017 at 11:33:13AM +0800, Wei Wang wrote:
> +static int vp_slave_write(CharBackend *chr_be, VhostUserMsg *msg)
> +{
> + int size;
> +
> + if (!msg) {
> + return 0;
> + }
> +
> + /* The payload size has been assigned, plus the header size here */
> + size = msg->size + VHOST_USER_HDR_SIZE;
> + msg->flags &= ~VHOST_USER_VERSION_MASK;
> + msg->flags |= VHOST_USER_VERSION;
> +
> + return qemu_chr_fe_write_all(chr_be, (const uint8_t *)msg, size)
> + == size ? 0 : -1;
> +}
qemu_chr_fe_write_all() is a blocking operation. If the socket fd
cannot accept more data then this thread will block!
This is a reliability problem. If the vhost-user master process hangs
then the vhost-pci vhost-user slave will also hang :(.
Please implement vhost-pci so that it does not hang. A guest with
multiple vhost-pci devices should work even if one or more of them
cannot communicate with the vhost-pci master. This is necessary for
preventing denial-of-service on a software-defined network switch, for
example.
> +static void vp_slave_set_vring_num(VhostPCINet *vpnet, VhostUserMsg *msg)
> +{
> + struct vhost_vring_state *state = &msg->payload.state;
> +
> + vpnet->metadata->vq[state->index].vring_num = state->num;
The vhost-pci code cannot trust vhost-user input. This function allows
the vhost-user master to perform out-of-bounds memory stores by setting
state->index outside the vq[] array.
All input must be validated! The security model is:
1. Guest must be able to corrupt QEMU memory or execute arbitrary code.
2. vhost-user master guest must not be able to corrupt vhost-user slave
guest memory or execute arbitrary code.
3. vhost-user master must not be able to corrupt vhost-user memory or
execute arbitrary code in vhost-user slave.
4. vhost-user slave must not be able to corrupt vhost-user memory or
execute arbitrary code in vhost-user master.
The only thing that is allowed is vhost-user slave QEMU and guest may
write to vhost-user master guest memory.
> +void vp_slave_read(void *opaque, const uint8_t *buf, int size)
> +{
> + int ret, fd_num, fds[VHOST_MEMORY_MAX_NREGIONS];
> + VhostUserMsg msg;
> + uint8_t *p = (uint8_t *) &msg;
> + VhostPCINet *vpnet = (VhostPCINet *)opaque;
> + CharBackend *chr_be = &vpnet->chr_be;
> +
> + if (size != VHOST_USER_HDR_SIZE) {
> + error_report("%s: wrong message size received %d", __func__, size);
> + return;
> + }
> +
> + memcpy(p, buf, VHOST_USER_HDR_SIZE);
> +
> + if (msg.size) {
> + p += VHOST_USER_HDR_SIZE;
> + size = qemu_chr_fe_read_all(chr_be, p, msg.size);
This is a blocking operation. See my comment about
qemu_chr_fe_write_all().
This is also a buffer overflow since msg.size is not validated. All
input from the vhost-user master needs to be validated.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2017-12-05 15:56 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-05 3:33 [Qemu-devel] [PATCH v3 0/7] Vhost-pci for inter-VM communication Wei Wang
2017-12-05 3:33 ` [Qemu-devel] [PATCH v3 1/7] vhost-user: share the vhost-user protocol related structures Wei Wang
2017-12-05 3:33 ` [Qemu-devel] [PATCH v3 2/7] vhost-pci-net: add vhost-pci-net Wei Wang
2017-12-05 14:59 ` [Qemu-devel] [virtio-dev] " Stefan Hajnoczi
2017-12-05 15:17 ` Michael S. Tsirkin
2017-12-05 15:55 ` Michael S. Tsirkin
2017-12-05 16:41 ` Stefan Hajnoczi
2017-12-05 16:53 ` Michael S. Tsirkin
2017-12-05 17:00 ` Cornelia Huck
2017-12-05 18:06 ` Michael S. Tsirkin
2017-12-06 10:17 ` Wei Wang
2017-12-06 12:01 ` Stefan Hajnoczi
2017-12-05 3:33 ` [Qemu-devel] [PATCH v3 3/7] virtio/virtio-pci.c: add vhost-pci-net-pci Wei Wang
2017-12-05 3:33 ` [Qemu-devel] [PATCH v3 4/7] vhost-pci-slave: add vhost-pci slave implementation Wei Wang
2017-12-05 15:56 ` Stefan Hajnoczi [this message]
2017-12-14 17:30 ` Stefan Hajnoczi
2017-12-14 17:48 ` Stefan Hajnoczi
2017-12-05 3:33 ` [Qemu-devel] [PATCH v3 5/7] vhost-user: VHOST_USER_SET_VHOST_PCI msg Wei Wang
2017-12-05 16:00 ` Stefan Hajnoczi
2017-12-06 10:32 ` [Qemu-devel] [virtio-dev] " Wei Wang
2017-12-15 12:40 ` Stefan Hajnoczi
2017-12-05 3:33 ` [Qemu-devel] [PATCH v3 6/7] vhost-pci-slave: handle VHOST_USER_SET_VHOST_PCI Wei Wang
2017-12-05 3:33 ` [Qemu-devel] [PATCH v3 7/7] virtio/vhost.c: vhost-pci needs remote gpa Wei Wang
2017-12-05 16:05 ` Stefan Hajnoczi
2017-12-06 10:46 ` [Qemu-devel] [virtio-dev] " Wei Wang
2017-12-05 4:13 ` [Qemu-devel] [PATCH v3 0/7] Vhost-pci for inter-VM communication no-reply
2017-12-05 7:01 ` [Qemu-devel] [virtio-dev] " Jason Wang
2017-12-05 7:15 ` Wei Wang
2017-12-05 7:19 ` Jason Wang
2017-12-05 8:49 ` Avi Cohen (A)
2017-12-05 10:36 ` Wei Wang
2017-12-05 14:30 ` Stefan Hajnoczi
2017-12-05 15:20 ` [Qemu-devel] " Michael S. Tsirkin
2017-12-05 16:06 ` [Qemu-devel] [virtio-dev] " Stefan Hajnoczi
2017-12-06 13:49 ` Stefan Hajnoczi
2017-12-06 16:09 ` Wang, Wei W
2017-12-06 16:27 ` Stefan Hajnoczi
2017-12-07 3:57 ` Wei Wang
2017-12-07 5:11 ` Michael S. Tsirkin
2017-12-07 5:34 ` Wei Wang
2017-12-07 6:31 ` Stefan Hajnoczi
2017-12-07 7:54 ` Avi Cohen (A)
2017-12-07 8:04 ` Stefan Hajnoczi
2017-12-07 8:31 ` Jason Wang
2017-12-07 10:24 ` [Qemu-devel] [virtio-dev] " Stefan Hajnoczi
2017-12-07 13:33 ` [Qemu-devel] " Michael S. Tsirkin
2017-12-07 9:02 ` Wei Wang
2017-12-07 13:08 ` Stefan Hajnoczi
2017-12-07 14:02 ` Michael S. Tsirkin
2017-12-07 16:29 ` Stefan Hajnoczi
2017-12-07 16:47 ` Michael S. Tsirkin
2017-12-07 17:29 ` Stefan Hajnoczi
2017-12-07 17:38 ` Michael S. Tsirkin
2017-12-07 18:28 ` Stefan Hajnoczi
2017-12-07 23:54 ` Michael S. Tsirkin
2017-12-08 6:08 ` Stefan Hajnoczi
2017-12-08 14:27 ` Michael S. Tsirkin
2017-12-08 16:15 ` Stefan Hajnoczi
2017-12-09 16:08 ` Wang, Wei W
2017-12-08 6:43 ` Wei Wang
2017-12-08 8:33 ` Stefan Hajnoczi
2017-12-09 16:23 ` Wang, Wei W
2017-12-11 11:11 ` Stefan Hajnoczi
2017-12-11 13:53 ` Wang, Wei W
2017-12-12 10:14 ` Stefan Hajnoczi
2017-12-13 8:11 ` Wei Wang
2017-12-13 12:35 ` Stefan Hajnoczi
2017-12-13 15:01 ` Michael S. Tsirkin
2017-12-13 20:08 ` Stefan Hajnoczi
2017-12-13 20:59 ` Michael S. Tsirkin
2017-12-14 15:06 ` Stefan Hajnoczi
2017-12-15 10:33 ` Wei Wang
2017-12-15 12:37 ` Stefan Hajnoczi
2017-12-13 21:50 ` Maxime Coquelin
2017-12-14 15:46 ` [Qemu-devel] [virtio-dev] " Stefan Hajnoczi
2017-12-14 16:27 ` Michael S. Tsirkin
2017-12-14 16:39 ` Maxime Coquelin
2017-12-14 16:40 ` Michael S. Tsirkin
2017-12-14 16:50 ` Maxime Coquelin
2017-12-14 18:11 ` Stefan Hajnoczi
2017-12-14 5:53 ` [Qemu-devel] " Wei Wang
2017-12-14 17:32 ` Stefan Hajnoczi
2017-12-15 9:10 ` Wei Wang
2017-12-15 12:26 ` Stefan Hajnoczi
2017-12-14 18:04 ` Stefan Hajnoczi
2017-12-15 10:33 ` [Qemu-devel] [virtio-dev] " Wei Wang
2017-12-15 12:00 ` Stefan Hajnoczi
2017-12-06 16:13 ` [Qemu-devel] " Stefan Hajnoczi
2017-12-19 11:35 ` Stefan Hajnoczi
2017-12-19 14:56 ` Michael S. Tsirkin
2017-12-19 17:05 ` Stefan Hajnoczi
2017-12-20 4:06 ` Michael S. Tsirkin
2017-12-20 6:26 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171205155601.GG31150@stefanha-x1.localdomain \
--to=stefanha@redhat.com \
--cc=avi.cohen@huawei.com \
--cc=jan.kiszka@siemens.com \
--cc=jasowang@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=virtio-dev@lists.oasis-open.org \
--cc=wei.w.wang@intel.com \
--cc=zhiyong.yang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).