From: Halil Pasic <pasic@linux.ibm.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: "kaplan, david" <david.kaplan@amd.com>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
"Hetzelt, Felicitas" <f.hetzelt@tu-berlin.de>,
linux-kernel <linux-kernel@vger.kernel.org>,
virtualization <virtualization@lists.linux-foundation.org>,
Halil Pasic <pasic@linux.ibm.com>,
Stefan Hajnoczi <stefanha@redhat.com>
Subject: Re: [PATCH V5 1/4] virtio_ring: validate used buffer length
Date: Tue, 23 Nov 2021 13:43:01 +0100 [thread overview]
Message-ID: <20211123134301.0dd999ad.pasic@linux.ibm.com> (raw)
In-Reply-To: <20211123071340-mutt-send-email-mst@kernel.org>
On Tue, 23 Nov 2021 07:17:05 -0500
"Michael S. Tsirkin" <mst@redhat.com> wrote:
> On Mon, Nov 22, 2021 at 02:50:03PM +0100, Halil Pasic wrote:
> > On Mon, 22 Nov 2021 14:25:26 +0800
> > Jason Wang <jasowang@redhat.com> wrote:
> >
> > > On Mon, Nov 22, 2021 at 1:49 PM Halil Pasic <pasic@linux.ibm.com> wrote:
> > > >
> > > > On Mon, 22 Nov 2021 06:35:18 +0100
> > > > Halil Pasic <pasic@linux.ibm.com> wrote:
> > > >
> > > > > > I think it should be a common issue, looking at
> > > > > > vhost_vsock_handle_tx_kick(), it did:
> > > > > >
> > > > > > len += sizeof(pkt->hdr);
> > > > > > vhost_add_used(vq, head, len);
> > > > > >
> > > > > > which looks like a violation of the spec since it's TX.
> > > > >
> > > > > I'm not sure the lines above look like a violation of the spec. If you
> > > > > examine vhost_vsock_alloc_pkt() I believe that you will agree that:
> > > > > len == pkt->len == pkt->hdr.len
> > > > > which makes sense since according to the spec both tx and rx messages
> > > > > are hdr+payload. And I believe hdr.len is the size of the payload,
> > > > > although that does not seem to be properly documented by the spec.
> > >
> > > Sorry for being unclear, what I meant is that we probably should use
> > > zero here. TX doesn't use in buffer actually.
> > >
> > > According to the spec, 0 should be the used length:
> > >
> > > "and len the total of bytes written into the buffer."
> >
> > Right, I was wrong. I somehow assumed this is the total length and not
> > just the number of bytes written.
> >
> > >
> > > > >
> > > > > On the other hand tx messages are stated to be device read-only (in the
> > > > > spec) so if the device writes stuff, that is certainly wrong.
> > > > >
> > >
> > > Yes.
> > >
> > > > > If that is what happens.
> > > > >
> > > > > Looking at virtqueue_get_buf_ctx_split() I'm not sure that is what
> > > > > happens. My hypothesis is that we just a last descriptor is an 'in'
> > > > > type descriptor (i.e. a device writable one). For tx that assumption
> > > > > would be wrong.
> > > > >
> > > > > I will have another look at this today and send a fix patch if my
> > > > > suspicion is confirmed.
> >
> > Yeah, I didn't remember the semantic of
> > vq->split.vring.used->ring[last_used].len
> > correctly, and in fact also how exactly the rings work. So your objection
> > is correct.
> >
> > Maybe updating some stuff would make it easier to not make this mistake.
> >
> > For example the spec and also the linux header says:
> >
> > /* le32 is used here for ids for padding reasons. */
> > struct virtq_used_elem {
> > /* Index of start of used descriptor chain. */
> > le32 id;
> > /* Total length of the descriptor chain which was used (written to) */
> > le32 len;
> > };
> >
> > I think that comment isn't as clear as it could be. I would prefer:
> > /* The number of bytes written into the device writable portion of the
> > buffer described by the descriptor chain. */
> >
> > I believe "the descriptor chain which was used" includes both the
> > descriptors that map the device read only and the device write
> > only portions of the buffer described by the descriptor chain. And the
> > total length of that descriptor chain may be defined either as a number
> > of the descriptors that form the chain, or the length of the buffer.
> >
> > One has to use the descriptor chain even if the whole buffer is device
> > read only. So "used" == "written to" does not make any sense to me.
>
> The virtio spec actually says
>
> Total length of the descriptor chain which was written to
>
> without the "used" part.
Yes, that is in the text after the (pseudo-)code listing which contains
the description I was referring to (in 2.6.8 The Virtqueue Used Ring).
>
> > Also something like
> > int vhost_add_used(struct vhost_virtqueue *vq, unsigned int head, int bytes_written)
> > instead of
> > int vhost_add_used(struct vhost_virtqueue *vq, unsigned int head, int len)
> > would make it easier to read the code correctly.
>
> I think we agree here. Patches?
>
Will send some :D
Thanks!
[..]
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-11-23 12:43 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-27 2:21 [PATCH V5 0/4] Validate used buffer length Jason Wang
2021-10-27 2:21 ` [PATCH V5 1/4] virtio_ring: validate " Jason Wang
2021-11-02 3:18 ` Xuan Zhuo
2021-11-02 3:54 ` Jason Wang
2021-11-19 15:09 ` Halil Pasic
2021-11-22 3:51 ` Jason Wang
2021-11-22 5:35 ` Halil Pasic
2021-11-22 5:49 ` Halil Pasic
2021-11-22 6:25 ` Jason Wang
2021-11-22 7:55 ` Stefano Garzarella
2021-11-22 11:08 ` Stefano Garzarella
2021-11-22 14:24 ` Halil Pasic
2021-11-22 16:23 ` Stefano Garzarella
2021-11-22 13:50 ` Halil Pasic
2021-11-23 2:30 ` Jason Wang
2021-11-23 12:17 ` Michael S. Tsirkin
2021-11-23 12:43 ` Halil Pasic [this message]
2021-11-22 20:23 ` Halil Pasic
2021-11-23 2:25 ` Jason Wang
2021-11-23 11:05 ` Michael S. Tsirkin
2021-11-24 1:30 ` Michael Ellerman
2021-11-24 2:26 ` Jason Wang
2021-11-24 2:33 ` Jason Wang
2021-11-24 7:22 ` Michael S. Tsirkin
2021-11-24 7:59 ` Jason Wang
2021-11-24 8:24 ` Michael S. Tsirkin
2021-11-24 8:28 ` Jason Wang
2021-11-24 11:33 ` Halil Pasic
2021-11-25 2:27 ` Jason Wang
2021-11-22 7:42 ` Stefano Garzarella
2021-10-27 2:21 ` [PATCH V5 2/4] virtio-net: don't let virtio core to validate used length Jason Wang
2021-10-27 2:21 ` [PATCH V5 3/4] virtio-blk: " Jason Wang
2021-10-27 2:21 ` [PATCH V5 4/4] virtio-scsi: don't let virtio core to validate used buffer length Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211123134301.0dd999ad.pasic@linux.ibm.com \
--to=pasic@linux.ibm.com \
--cc=david.kaplan@amd.com \
--cc=f.hetzelt@tu-berlin.de \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mst@redhat.com \
--cc=stefanha@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).