* i386/xen: prevent guest from binding loopback event channel to itself
@ 2023-07-25 10:05 David Woodhouse
2023-07-26 8:44 ` Paul Durrant
0 siblings, 1 reply; 5+ messages in thread
From: David Woodhouse @ 2023-07-25 10:05 UTC (permalink / raw)
To: Paul Durrant, Paolo Bonzini, Richard Henderson, Eduardo Habkost,
Michael S. Tsirkin, Marcel Apfelbaum, qemu-devel
[-- Attachment #1: Type: text/plain, Size: 1576 bytes --]
From: David Woodhouse <dwmw@amazon.co.uk>
Fuzzing showed that a guest could bind an interdomain port to itself, by
guessing the next port to be allocated and putting that as the 'remote'
port number. By chance, that works because the newly-allocated port has
type EVTCHNSTAT_unbound. It shouldn't.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---
hw/i386/kvm/xen_evtchn.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c
index 0e9c108614..70b4b8a6ef 100644
--- a/hw/i386/kvm/xen_evtchn.c
+++ b/hw/i386/kvm/xen_evtchn.c
@@ -1408,8 +1408,15 @@ int xen_evtchn_bind_interdomain_op(struct evtchn_bind_interdomain *interdomain)
XenEvtchnPort *rp = &s->port_table[interdomain->remote_port];
XenEvtchnPort *lp = &s->port_table[interdomain->local_port];
- if (rp->type == EVTCHNSTAT_unbound && rp->type_val == 0) {
- /* It's a match! */
+ /*
+ * The 'remote' port for loopback must be an unbound port allocated for
+ * communication with the local domain (as indicated by rp->type_val
+ * being zero, not PORT_INFO_TYPEVAL_REMOTE_QEMU), and must *not* be
+ * the port that was just allocated for the local end.
+ */
+ if (interdomain->local_port != interdomain->remote_port &&
+ rp->type == EVTCHNSTAT_unbound && rp->type_val == 0) {
+
rp->type = EVTCHNSTAT_interdomain;
rp->type_val = interdomain->local_port;
--
2.34.1
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5965 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: i386/xen: prevent guest from binding loopback event channel to itself
2023-07-25 10:05 i386/xen: prevent guest from binding loopback event channel to itself David Woodhouse
@ 2023-07-26 8:44 ` Paul Durrant
2023-07-26 9:07 ` David Woodhouse
0 siblings, 1 reply; 5+ messages in thread
From: Paul Durrant @ 2023-07-26 8:44 UTC (permalink / raw)
To: David Woodhouse, Paolo Bonzini, Richard Henderson,
Eduardo Habkost, Michael S. Tsirkin, Marcel Apfelbaum, qemu-devel
On 25/07/2023 11:05, David Woodhouse wrote:
> From: David Woodhouse <dwmw@amazon.co.uk>
>
> Fuzzing showed that a guest could bind an interdomain port to itself, by
> guessing the next port to be allocated and putting that as the 'remote'
> port number. By chance, that works because the newly-allocated port has
> type EVTCHNSTAT_unbound. It shouldn't.
>
> Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
> ---
> hw/i386/kvm/xen_evtchn.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
Reviewed-by: Paul Durrant <paul@xen.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: i386/xen: prevent guest from binding loopback event channel to itself
2023-07-26 8:44 ` Paul Durrant
@ 2023-07-26 9:07 ` David Woodhouse
2023-07-26 9:24 ` Paul Durrant
0 siblings, 1 reply; 5+ messages in thread
From: David Woodhouse @ 2023-07-26 9:07 UTC (permalink / raw)
To: paul, Paolo Bonzini, Richard Henderson, Eduardo Habkost,
Michael S. Tsirkin, Marcel Apfelbaum, qemu-devel
[-- Attachment #1: Type: text/plain, Size: 1265 bytes --]
On Wed, 2023-07-26 at 09:44 +0100, Paul Durrant wrote:
> On 25/07/2023 11:05, David Woodhouse wrote:
> > From: David Woodhouse <dwmw@amazon.co.uk>
> >
> > Fuzzing showed that a guest could bind an interdomain port to itself, by
> > guessing the next port to be allocated and putting that as the 'remote'
> > port number. By chance, that works because the newly-allocated port has
> > type EVTCHNSTAT_unbound. It shouldn't.
> >
> > Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
> > ---
> > hw/i386/kvm/xen_evtchn.c | 11 +++++++++--
> > 1 file changed, 9 insertions(+), 2 deletions(-)
> >
>
> Reviewed-by: Paul Durrant <paul@xen.org>
>
Thanks. I'll change the title prefix to 'hw/xen' since it's in hw/ not
target/i386. Please can I have also have a review for
https://lore.kernel.org/qemu-devel/20076888f6bdf06a65aafc5cf954260965d45b97.camel@infradead.org/
I'll then send these outstanding patches from my tree as a series for
8.1:
David Woodhouse (4):
hw/xen: Clarify (lack of) error handling in transaction_commit()
hw/xen: fix off-by-one in xen_evtchn_set_gsi()
i386/xen: consistent locking around Xen singleshot timers
hw/xen: prevent guest from binding loopback event channel to itself
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5965 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: i386/xen: prevent guest from binding loopback event channel to itself
2023-07-26 9:07 ` David Woodhouse
@ 2023-07-26 9:24 ` Paul Durrant
2023-07-26 17:48 ` Bernhard Beschow
0 siblings, 1 reply; 5+ messages in thread
From: Paul Durrant @ 2023-07-26 9:24 UTC (permalink / raw)
To: David Woodhouse, Paolo Bonzini, Richard Henderson,
Eduardo Habkost, Michael S. Tsirkin, Marcel Apfelbaum, qemu-devel
On 26/07/2023 10:07, David Woodhouse wrote:
> On Wed, 2023-07-26 at 09:44 +0100, Paul Durrant wrote:
>> On 25/07/2023 11:05, David Woodhouse wrote:
>>> From: David Woodhouse <dwmw@amazon.co.uk>
>>>
>>> Fuzzing showed that a guest could bind an interdomain port to itself, by
>>> guessing the next port to be allocated and putting that as the 'remote'
>>> port number. By chance, that works because the newly-allocated port has
>>> type EVTCHNSTAT_unbound. It shouldn't.
>>>
>>> Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
>>> ---
>>> hw/i386/kvm/xen_evtchn.c | 11 +++++++++--
>>> 1 file changed, 9 insertions(+), 2 deletions(-)
>>>
>>
>> Reviewed-by: Paul Durrant <paul@xen.org>
>>
>
> Thanks. I'll change the title prefix to 'hw/xen' since it's in hw/ not
> target/i386.
Yes, makes sense.
> Please can I have also have a review for
> https://lore.kernel.org/qemu-devel/20076888f6bdf06a65aafc5cf954260965d45b97.camel@infradead.org/
>
Sorry I missed that. Done.
Cheers,
Paul
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: i386/xen: prevent guest from binding loopback event channel to itself
2023-07-26 9:24 ` Paul Durrant
@ 2023-07-26 17:48 ` Bernhard Beschow
0 siblings, 0 replies; 5+ messages in thread
From: Bernhard Beschow @ 2023-07-26 17:48 UTC (permalink / raw)
To: paul, Paul Durrant, David Woodhouse, Paolo Bonzini,
Richard Henderson, Eduardo Habkost, Michael S. Tsirkin,
Marcel Apfelbaum, qemu-devel
Cc: Olaf Hering
Am 26. Juli 2023 09:24:28 UTC schrieb Paul Durrant <xadimgnik@gmail.com>:
>On 26/07/2023 10:07, David Woodhouse wrote:
>> On Wed, 2023-07-26 at 09:44 +0100, Paul Durrant wrote:
>>> On 25/07/2023 11:05, David Woodhouse wrote:
>>>> From: David Woodhouse <dwmw@amazon.co.uk>
>>>>
>>>> Fuzzing showed that a guest could bind an interdomain port to itself, by
>>>> guessing the next port to be allocated and putting that as the 'remote'
>>>> port number. By chance, that works because the newly-allocated port has
>>>> type EVTCHNSTAT_unbound. It shouldn't.
>>>>
>>>> Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
>>>> ---
>>>> hw/i386/kvm/xen_evtchn.c | 11 +++++++++--
>>>> 1 file changed, 9 insertions(+), 2 deletions(-)
>>>>
>>>
>>> Reviewed-by: Paul Durrant <paul@xen.org>
>>>
>>
>> Thanks. I'll change the title prefix to 'hw/xen' since it's in hw/ not
>> target/i386.
>
>Yes, makes sense.
>
>> Please can I have also have a review for
>> https://lore.kernel.org/qemu-devel/20076888f6bdf06a65aafc5cf954260965d45b97.camel@infradead.org/
>>
>
>Sorry I missed that. Done.
And that one, too please? https://lore.kernel.org/qemu-devel/20230720072950.20198-1-olaf@aepfle.de/
Sorry for cross posting, but the patch would be good to have in 8.1.
Best regards,
Bernhard
>
>Cheers,
>
> Paul
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-07-26 18:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-25 10:05 i386/xen: prevent guest from binding loopback event channel to itself David Woodhouse
2023-07-26 8:44 ` Paul Durrant
2023-07-26 9:07 ` David Woodhouse
2023-07-26 9:24 ` Paul Durrant
2023-07-26 17:48 ` Bernhard Beschow
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).