From: Albert Esteve <aesteve@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@gmail.com>
Cc: qemu-devel@nongnu.org, "Michael S. Tsirkin" <mst@redhat.com>,
kraxel@redhat.com, stefanha@gmail.com
Subject: Re: [PATCH 1/3] hw/virtio: check owner for removing objects
Date: Thu, 7 Dec 2023 10:14:42 +0100 [thread overview]
Message-ID: <CADSE00Jn0240p8nnPP0YxKdWvSADRUeSD2rGFSJAPysbk5WcTg@mail.gmail.com> (raw)
In-Reply-To: <CAJ+F1CLohGjKaKYk8x4MbNQ6e0M=E15VeJ5wjYW=O9nMapOZmg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3415 bytes --]
On Mon, Dec 4, 2023 at 8:54 AM Marc-André Lureau <marcandre.lureau@gmail.com>
wrote:
> On Tue, Nov 7, 2023 at 1:37 PM Albert Esteve <aesteve@redhat.com> wrote:
> >
> > Shared objects lack spoofing protection.
> > For VHOST_USER_BACKEND_SHARED_OBJECT_REMOVE messages
> > received by the vhost-user interface, any backend was
> > allowed to remove entries from the shared table just
> > by knowing the UUID. Only the owner of the entry
> > shall be allowed to removed their resources
> > from the table.
> >
> > To fix that, add a check for all
> > *SHARED_OBJECT_REMOVE messages received.
> > A vhost device can only remove TYPE_VHOST_DEV
> > entries that are owned by them, otherwise skip
> > the removal, and inform the device that the entry
> > has not been removed in the answer.
> >
> > Signed-off-by: Albert Esteve <aesteve@redhat.com>
> > ---
> > hw/virtio/vhost-user.c | 21 +++++++++++++++++++--
> > 1 file changed, 19 insertions(+), 2 deletions(-)
> >
> > diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
> > index 7b42ae8aae..5fdff0241f 100644
> > --- a/hw/virtio/vhost-user.c
> > +++ b/hw/virtio/vhost-user.c
> > @@ -1602,10 +1602,26 @@
> vhost_user_backend_handle_shared_object_add(struct vhost_dev *dev,
> > }
> >
> > static int
> > -vhost_user_backend_handle_shared_object_remove(VhostUserShared *object)
> > +vhost_user_backend_handle_shared_object_remove(struct vhost_dev *dev,
> > + VhostUserShared *object)
> > {
> > QemuUUID uuid;
> >
> > + switch (virtio_object_type(&uuid)) {
>
> ../hw/virtio/vhost-user.c:1619:13: error: ‘uuid’ may be used
> uninitialized [-Werror=maybe-uninitialized]
> 1619 | switch (virtio_object_type(&uuid)) {
> | ^~~~~~~~~~~~~~~~~~~~~~~~~
>
>
Oops I didn't notice this. Maybe I am missing the
`Werror` flag when I compile locally. I'll fix it.
> > + case TYPE_VHOST_DEV:
> > + {
> > + struct vhost_dev *owner = virtio_lookup_vhost_device(&uuid);
> > + if (owner == NULL || dev != owner) {
> > + /* Not allowed to remove non-owned entries */
> > + return 0;
> > + }
> > + break;
> > + }
> > + default:
> > + /* Not allowed to remove non-owned entries */
> > + return 0;
>
> How do you remove TYPE_DMABUF entries after this patch?
>
>
TYPE_DMABUF are meant for virtio devices that run with Qemu
(i.e., not vhost). So owners will not send these messages, but
access the hash table directly.
> > + }
> > +
> > memcpy(uuid.data, object->uuid, sizeof(object->uuid));
> > return virtio_remove_resource(&uuid);
> > }
> > @@ -1785,7 +1801,8 @@ static gboolean backend_read(QIOChannel *ioc,
> GIOCondition condition,
> > ret = vhost_user_backend_handle_shared_object_add(dev,
> &payload.object);
> > break;
> > case VHOST_USER_BACKEND_SHARED_OBJECT_REMOVE:
> > - ret =
> vhost_user_backend_handle_shared_object_remove(&payload.object);
> > + ret = vhost_user_backend_handle_shared_object_remove(dev,
> > +
> &payload.object);
> > break;
> > case VHOST_USER_BACKEND_SHARED_OBJECT_LOOKUP:
> > ret =
> vhost_user_backend_handle_shared_object_lookup(dev->opaque, ioc,
> > --
> > 2.41.0
> >
>
>
> --
> Marc-André Lureau
>
>
[-- Attachment #2: Type: text/html, Size: 4902 bytes --]
next prev parent reply other threads:[~2023-12-07 9:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 9:37 [PATCH 0/3] Virtio dmabuf improvements Albert Esteve
2023-11-07 9:37 ` [PATCH 1/3] hw/virtio: check owner for removing objects Albert Esteve
2023-12-04 7:54 ` Marc-André Lureau
2023-12-07 9:14 ` Albert Esteve [this message]
2023-11-07 9:37 ` [PATCH 2/3] hw/virtio: cleanup shared resources Albert Esteve
2023-12-04 8:00 ` Marc-André Lureau
2023-12-07 9:18 ` Albert Esteve
2023-11-07 9:37 ` [PATCH 3/3] hw/virtio: rename virtio dmabuf API Albert Esteve
2023-11-30 15:49 ` [PATCH 0/3] Virtio dmabuf improvements Albert Esteve
2023-12-04 8:49 ` Michael S. Tsirkin
2023-12-04 9:15 ` Albert Esteve
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CADSE00Jn0240p8nnPP0YxKdWvSADRUeSD2rGFSJAPysbk5WcTg@mail.gmail.com \
--to=aesteve@redhat.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@gmail.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).