virtualization.lists.linux-foundation.org archive mirror
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Yongji Xie <xieyongji@bytedance.com>
Cc: "Jens Axboe" <axboe@kernel.dk>,
	"Jonathan Corbet" <corbet@lwn.net>,
	linux-kernel <linux-kernel@vger.kernel.org>,
	kvm <kvm@vger.kernel.org>, "Michael S. Tsirkin" <mst@redhat.com>,
	netdev@vger.kernel.org, "Randy Dunlap" <rdunlap@infradead.org>,
	iommu@lists.linux-foundation.org,
	"Matthew Wilcox" <willy@infradead.org>,
	virtualization <virtualization@lists.linux-foundation.org>,
	"Christoph Hellwig" <hch@infradead.org>,
	"Christian Brauner" <christian.brauner@canonical.com>,
	bcrl@kvack.org, viro@zeniv.linux.org.uk,
	"Stefan Hajnoczi" <stefanha@redhat.com>,
	linux-fsdevel@vger.kernel.org, joro@8bytes.org,
	"Mika Penttilä" <mika.penttila@nextfour.com>
Subject: Re: [PATCH v7 04/12] virtio-blk: Add validation for block size in config space
Date: Wed, 19 May 2021 17:42:06 +0300	[thread overview]
Message-ID: <20210519144206.GF32682@kadam> (raw)
In-Reply-To: <CACycT3s1rEvNnNkJKQsHGRsyLPADieFdVkb1Sp3GObR0Vox5Fg@mail.gmail.com>

On Wed, May 19, 2021 at 09:39:20PM +0800, Yongji Xie wrote:
> On Mon, May 17, 2021 at 5:56 PM Xie Yongji <xieyongji@bytedance.com> wrote:
> >
> > This ensures that we will not use an invalid block size
> > in config space (might come from an untrusted device).

I looked at if I should add this as an untrusted function so that Smatch
could find these sorts of bugs but this is reading data from the host so
there has to be some level of trust...

I should add some more untrusted data kvm functions to Smatch.  Right
now I only have kvm_register_read() and I've added kvm_read_guest_virt()
just now.

> >
> > Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
> > ---
> >  drivers/block/virtio_blk.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
> > index ebb4d3fe803f..c848aa36d49b 100644
> > --- a/drivers/block/virtio_blk.c
> > +++ b/drivers/block/virtio_blk.c
> > @@ -826,7 +826,7 @@ static int virtblk_probe(struct virtio_device *vdev)
> >         err = virtio_cread_feature(vdev, VIRTIO_BLK_F_BLK_SIZE,
> >                                    struct virtio_blk_config, blk_size,
> >                                    &blk_size);
> > -       if (!err)
> > +       if (!err && blk_size > 0 && blk_size <= max_size)
> 
> The check here is incorrect. I will use PAGE_SIZE as the maximum
> boundary in the new version.

What does this bug look like to the user?  A minimum block size of 1
seems pretty crazy.  Surely the minimum should be higher?

regards,
dan carpenter

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

       reply	other threads:[~2021-05-19 14:43 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20210517095513.850-1-xieyongji@bytedance.com>
     [not found] ` <20210517095513.850-5-xieyongji@bytedance.com>
     [not found]   ` <CACycT3s1rEvNnNkJKQsHGRsyLPADieFdVkb1Sp3GObR0Vox5Fg@mail.gmail.com>
2021-05-19 14:42     ` Dan Carpenter [this message]
     [not found]       ` <CACycT3veubBFCg9omxLDJJFP7B7QH8++Q+tKmb_M_hmNS45cmw@mail.gmail.com>
2021-05-20  5:43         ` Re: [PATCH v7 04/12] virtio-blk: Add validation for block size in config space Michael S. Tsirkin
2021-05-20  6:06 ` [PATCH v7 00/12] Introduce VDUSE - vDPA Device in Userspace Michael S. Tsirkin
     [not found]   ` <CACycT3tKY2V=dmOJjeiZxkqA3cH8_KF93NNbRnNU04e5Job2cw@mail.gmail.com>
2021-05-25  6:40     ` Jason Wang
2021-05-25  6:48       ` Michael S. Tsirkin
2021-05-25  7:11         ` Jason Wang
     [not found] ` <20210517095513.850-3-xieyongji@bytedance.com>
2021-05-20  6:18   ` [PATCH v7 02/12] file: Export receive_fd() to modules Al Viro
     [not found] ` <20210517095513.850-2-xieyongji@bytedance.com>
2021-05-26  2:36   ` [PATCH v7 01/12] iova: Export alloc_iova_fast() Jason Wang
     [not found] ` <20210517095513.850-6-xieyongji@bytedance.com>
2021-05-26  2:41   ` [PATCH v7 05/12] virtio_scsi: Add validation for residual bytes from response Jason Wang
     [not found] ` <20210517095513.850-12-xieyongji@bytedance.com>
2021-05-20  6:28   ` [PATCH v7 11/12] vduse: Introduce VDUSE - vDPA Device in Userspace Al Viro
2021-05-27  4:12   ` Jason Wang
     [not found]     ` <CACycT3uAqa6azso_8MGreh+quj-JXO1piuGnrV8k2kTfc34N2g@mail.gmail.com>
2021-05-27  5:00       ` Jason Wang
     [not found]         ` <CACycT3ve7YvKF+F+AnTQoJZMPua+jDvGMs_ox8GQe_=SGdeCMA@mail.gmail.com>
2021-05-27  5:40           ` Jason Wang
     [not found]             ` <CACycT3ufok97cKpk47NjUBTc0QAyfauFUyuFvhWKmuqCGJ7zZw@mail.gmail.com>
2021-05-27  8:41               ` Jason Wang
2021-05-27  8:43                 ` Jason Wang
     [not found]                   ` <CACycT3s6SkER09KL_Ns9d03quYSKOuZwd3=HJ_s1SL7eH7y5gA@mail.gmail.com>
2021-05-28  1:33                     ` Jason Wang
     [not found]                       ` <CACycT3vKZ3y0gga8PrSVtssZfNV0Y-A8=iYZSi9sbpHRNkVf-A@mail.gmail.com>
2021-05-28  6:38                         ` Jason Wang
     [not found]                 ` <CACycT3uK_Fuade-b8FVYkGCKZnne_UGGbYRFwv7WOH2oKCsXSg@mail.gmail.com>
2021-05-28  2:31                   ` Jason Wang
     [not found]                     ` <CACycT3tLj6a7-tbqO9SzCLStwYrOALdkfnt1jxQBv3s0VzD6AQ@mail.gmail.com>
2021-05-31  4:38                       ` Jason Wang
2021-05-31  4:56   ` Greg KH
     [not found]     ` <CACycT3vRHPfOGxmy1Uv=8_dqqq8iG4YTZHUizo+y8EYKGS5g8g@mail.gmail.com>
2021-05-31  6:32       ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210519144206.GF32682@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=axboe@kernel.dk \
    --cc=bcrl@kvack.org \
    --cc=christian.brauner@canonical.com \
    --cc=corbet@lwn.net \
    --cc=hch@infradead.org \
    --cc=iommu@lists.linux-foundation.org \
    --cc=joro@8bytes.org \
    --cc=kvm@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mika.penttila@nextfour.com \
    --cc=mst@redhat.com \
    --cc=netdev@vger.kernel.org \
    --cc=rdunlap@infradead.org \
    --cc=stefanha@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=virtualization@lists.linux-foundation.org \
    --cc=willy@infradead.org \
    --cc=xieyongji@bytedance.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).