Re: Security hole in vhost-vdpa?

From: "Michael S. Tsirkin" <mst@redhat.com>
To: Jason Wang <jasowang@redhat.com>
Cc: Martin Petrus Hubertus Habets <martinh@xilinx.com>,
	Harpreet Singh Anand <hanand@xilinx.com>,
	Gautam Dawar <gdawar@xilinx.com>,
	"virtualization@lists.linux-foundation.org"
	<virtualization@lists.linux-foundation.org>
Subject: Re: Security hole in vhost-vdpa?
Date: Thu, 10 Jun 2021 00:30:04 -0400	[thread overview]
Message-ID: <20210610002358-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <82e91727-79f4-b6f1-37f1-9fb5bdf67b8d@redhat.com>

On Mon, Jun 07, 2021 at 10:10:03AM +0800, Jason Wang wrote:
> 
> 在 2021/6/7 上午5:38, Michael S. Tsirkin 写道:
> > On Sun, Jun 06, 2021 at 02:39:48PM +0000, Gautam Dawar wrote:
> > > Hi All,
> > > 
> > > 
> > > This is in continuation to my findings noted in Bug 213179 and discussions we
> > > have had in the last couple of weeks over emails.
> > > 
> > > 
> > > Today, I published the first patch for this issue which adds timeout based wait
> > > for completion event and also logs a warning message to alert the user/
> > > administrator of the problem.
> > Can't close just finish without waiting for userspace?
> 
> 
> It works as long as we don't use mmap(). When we map kicks, it looks to me
> there's no way to "revoke" the mapping from userspace?
> 
> Thanks

Can't we track these mappings and map some other page there?
Likely no more than one is needed ...

> 
> > Then notify userspace about any buffers that did not complete ...
> > 
> > 
> > > As a next step, the idea is to implement a mechanism to allow vhost-vdpa module
> > > notify userspace app (QEMU) to close the fd corresponding to the vhost-vdpa
> > > character device when it is waiting for the completion event in
> > > vhost_vdpa_remove(). Jason confirmed this by saying that we need a new eventfd/
> > > ioctl to receive hot remove request from kernel.
> > > 
> > > 
> > > Although, we can proceed to implement changes for the part described above but
> > > I feel that that the problem is much deeper than that. This mechanism will just
> > > request the userspace to close the fd and let vhost-vdpa proceed with the
> > > clean-up. However, IMHO things should be under more control of kernel space
> > > than the user space.
> > > 
> > > 
> > > The problem I am trying to highlight is that a malicious user-space application
> > > can render any module registering a vDPA device to hang in their
> > > de-initialization sequence. This will typically surface when
> > > vdpa_device_unregister() is called from the function responsible for module
> > > unload leading rmmod commands to not return, forever.
> > > 
> > > 
> > > To prove my point, I created a simple C program (test_vdpa.c) that opens the
> > > vhost-vdpa character device and never exits. The logs (test_logs.txt) show that
> > > after registering the vDPA device from sfc driver, vhost-vdpa module creates
> > > the char device /dev/vhost-vdpa-0  for it. As this is available to all apps in
> > > the userspace, the malicious app (./block_vdpa_unload) opens this device and
> > > goes to infinite sleep. At this time, when module unload (rmmod sfc) is called,
> > > it hangs and the following print informs the user/admin of this state with
> > > following message:
> > > 
> > > [ 8180.053647]  vhost-vdpa-0: vhost_vdpa_remove waiting for /dev/vhost-vdpa-0
> > > to be closed
> > > 
> > > 
> > > Finally, when block_vdpa_unload is killed, vhost_vdpa_remove() unblocks and sfc
> > > module is unloaded.
> > > 
> > > 
> > > With such application running in userspace, a kernel module (that registered
> > > corresponding vDPA device) will hang during unload sequence. Such control of
> > > the userspace application on the system resources should certainly be
> > > prevented.
> > > 
> > > To me, this seems to be a serious issue and requires modifications in the way
> > > it is currently handled in vhost-vdpa (and other modules (VFIO?) with similar
> > > implementation).
> > > 
> > > Let me know what you think.
> > > 
> > > 
> > > Regards,
> > > 
> > > Gautam Dawar
> > > 
> > > #include <sys/stat.h>
> > > #include <unistd.h>
> > > #include <stdlib.h>
> > > #include <stdio.h>
> > > #include <fcntl.h>
> > > #include <errno.h>
> > > 
> > > int main(int argc, char **argv)
> > > {
> > >     unsigned int index;
> > >     char dev_path[30];
> > >     int fd;
> > > 
> > >     if (argc != 2) {
> > > 	   printf("Usage: %s <vhost-vdpa device index>\n", argv[0]);
> > > 	   return -1;
> > >     }
> > > 
> > >     index = strtoul(argv[1], NULL, 10);
> > > 
> > >     snprintf(dev_path, sizeof(dev_path), "/dev/vhost-vdpa-%u", index);
> > >     fd = open(dev_path, O_RDWR);
> > >     if(fd < 0)
> > >     {
> > >         printf("Failed to open %s, errno: %d!\n", dev_path, errno);
> > >         return 1;
> > >     }
> > > 
> > >     printf("Blocking unload of driver that registered vDPA device"
> > > 	  " corresponding to cdev %s created by vhost-vdpa\n", dev_path);
> > >     while (1)
> > > 	   sleep(1);
> > > 
> > >     close(fd);
> > >     return 0;
> > > }
> > > [root@ndr730p ~]# ~/create_vdpa_device.sh
> > > 
> > > [root@ndr730p ~]# ll /dev/vhost-vdpa-0
> > > crw------- 1 root root 240, 0 Jun  6 19:59 /dev/vhost-vdpa-0
> > > 
> > > [root@ndr730p ~]# ./block_vdpa_unload 0 &
> > > [1] 10930
> > > Blocking unload of driver that registered vDPA device corresponding to cdev /dev/vhost-vdpa-0 created by vhost-vdpa
> > > 
> > > [root@ndr730p ~]# rmmod sfc
> > > [ 8179.010520] sfc_ef100 0000:06:00.4: ef100_vdpa_delete: Calling vdpa unregister device
> > > [ 8180.053647]  vhost-vdpa-0: vhost_vdpa_remove waiting for /dev/vhost-vdpa-0 to be closed
> > > 
> > > [root@ndr730p ~]# kill -9 10930
> > > [ 8218.392897] sfc_ef100 0000:06:00.0: shutdown successful
> > > 

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization