* [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops
@ 2023-07-27 17:57 Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check Dragos Tatulea via Virtualization
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Dragos Tatulea via Virtualization @ 2023-07-27 17:57 UTC (permalink / raw)
To: Michael S . Tsirkin, Lin Ma, Jason Wang, Xuan Zhuo, Parav Pandit
Cc: linux-kernel, virtualization
The original patch from Lin Ma enables the vdpa driver to use validation
netlink ops. The patch got split into 3 parts for easier backporting.
The last patch simply disables the validation skip which is no longer
neccesary. Patchset started of from this discussion [0].
[0] https://lore.kernel.org/virtualization/20230726074710-mutt-send-email-mst@kernel.org/T/#t
v3:
- Split initial patch for easier backporting.
- Correctly marked patches for stable inclusion.
v2:
- cc'ed stable
Dragos Tatulea (1):
vdpa: Enable strict validation for netlinks ops
Lin Ma (3):
vdpa: Add features attr to vdpa_nl_policy for nlattr length check
vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check
drivers/vdpa/vdpa.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--
2.41.0
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check
2023-07-27 17:57 [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops Dragos Tatulea via Virtualization
@ 2023-07-27 17:57 ` Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 2/4] vdpa: Add queue index " Dragos Tatulea via Virtualization
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Dragos Tatulea via Virtualization @ 2023-07-27 17:57 UTC (permalink / raw)
To: Michael S . Tsirkin, Lin Ma, Jason Wang, Xuan Zhuo, Parav Pandit
Cc: linux-kernel, stable, virtualization
From: Lin Ma <linma@zju.edu.cn>
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa features attr to avoid
such bugs.
Fixes: 90fea5a800c3 ("vdpa: device feature provisioning")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Cc: stable@vger.kernel.org
---
drivers/vdpa/vdpa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 965e32529eb8..3ad355a2208a 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -1249,6 +1249,7 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
[VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR,
/* virtio spec 1.1 section 5.1.4.1 for valid MTU range */
[VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68),
+ [VDPA_ATTR_DEV_FEATURES] = { .type = NLA_U64 },
};
static const struct genl_ops vdpa_nl_ops[] = {
--
2.41.0
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/4] vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check
2023-07-27 17:57 [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check Dragos Tatulea via Virtualization
@ 2023-07-27 17:57 ` Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 3/4] vdpa: Add max vqp " Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 4/4] vdpa: Enable strict validation for netlinks ops Dragos Tatulea via Virtualization
3 siblings, 0 replies; 5+ messages in thread
From: Dragos Tatulea via Virtualization @ 2023-07-27 17:57 UTC (permalink / raw)
To: Michael S . Tsirkin, Lin Ma, Jason Wang, Xuan Zhuo, Parav Pandit
Cc: stable, linux-kernel, virtualization
From: Lin Ma <linma@zju.edu.cn>
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa queue index attr to avoid
such bugs.
Fixes: 13b00b135665 ("vdpa: Add support for querying vendor statistics")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Cc: stable@vger.kernelorg
---
drivers/vdpa/vdpa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 3ad355a2208a..75f1df2b9d2a 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -1249,6 +1249,7 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
[VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR,
/* virtio spec 1.1 section 5.1.4.1 for valid MTU range */
[VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68),
+ [VDPA_ATTR_DEV_QUEUE_INDEX] = { .type = NLA_U32 },
[VDPA_ATTR_DEV_FEATURES] = { .type = NLA_U64 },
};
--
2.41.0
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/4] vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check
2023-07-27 17:57 [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 2/4] vdpa: Add queue index " Dragos Tatulea via Virtualization
@ 2023-07-27 17:57 ` Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 4/4] vdpa: Enable strict validation for netlinks ops Dragos Tatulea via Virtualization
3 siblings, 0 replies; 5+ messages in thread
From: Dragos Tatulea via Virtualization @ 2023-07-27 17:57 UTC (permalink / raw)
To: Michael S . Tsirkin, Lin Ma, Jason Wang, Xuan Zhuo, Parav Pandit
Cc: linux-kernel, stable, virtualization
From: Lin Ma <linma@zju.edu.cn>
The vdpa_nl_policy structure is used to validate the nlattr when parsing
the incoming nlmsg. It will ensure the attribute being described produces
a valid nlattr pointer in info->attrs before entering into each handler
in vdpa_nl_ops.
That is to say, the missing part in vdpa_nl_policy may lead to illegal
nlattr after parsing, which could lead to OOB read just like CVE-2023-3773.
This patch adds the missing nla_policy for vdpa max vqp attr to avoid
such bugs.
Fixes: ad69dd0bf26b ("vdpa: Introduce query of device config layout")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Cc: stable@vger.kernel.org
---
drivers/vdpa/vdpa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 75f1df2b9d2a..f2f654fd84e5 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -1247,6 +1247,7 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
[VDPA_ATTR_MGMTDEV_DEV_NAME] = { .type = NLA_STRING },
[VDPA_ATTR_DEV_NAME] = { .type = NLA_STRING },
[VDPA_ATTR_DEV_NET_CFG_MACADDR] = NLA_POLICY_ETH_ADDR,
+ [VDPA_ATTR_DEV_NET_CFG_MAX_VQP] = { .type = NLA_U16 },
/* virtio spec 1.1 section 5.1.4.1 for valid MTU range */
[VDPA_ATTR_DEV_NET_CFG_MTU] = NLA_POLICY_MIN(NLA_U16, 68),
[VDPA_ATTR_DEV_QUEUE_INDEX] = { .type = NLA_U32 },
--
2.41.0
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 4/4] vdpa: Enable strict validation for netlinks ops
2023-07-27 17:57 [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops Dragos Tatulea via Virtualization
` (2 preceding siblings ...)
2023-07-27 17:57 ` [PATCH 3/4] vdpa: Add max vqp " Dragos Tatulea via Virtualization
@ 2023-07-27 17:57 ` Dragos Tatulea via Virtualization
3 siblings, 0 replies; 5+ messages in thread
From: Dragos Tatulea via Virtualization @ 2023-07-27 17:57 UTC (permalink / raw)
To: Michael S . Tsirkin, Lin Ma, Jason Wang, Xuan Zhuo, Parav Pandit
Cc: linux-kernel, stable, virtualization
The previous patches added the missing nla policies that were required for
validation to work.
Now strict validation on netlink ops can be enabled. This patch does it.
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Cc: stable@vger.kernel.org
---
drivers/vdpa/vdpa.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index f2f654fd84e5..a7612e0783b3 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -1257,37 +1257,31 @@ static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
static const struct genl_ops vdpa_nl_ops[] = {
{
.cmd = VDPA_CMD_MGMTDEV_GET,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_mgmtdev_get_doit,
.dumpit = vdpa_nl_cmd_mgmtdev_get_dumpit,
},
{
.cmd = VDPA_CMD_DEV_NEW,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_dev_add_set_doit,
.flags = GENL_ADMIN_PERM,
},
{
.cmd = VDPA_CMD_DEV_DEL,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_dev_del_set_doit,
.flags = GENL_ADMIN_PERM,
},
{
.cmd = VDPA_CMD_DEV_GET,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_dev_get_doit,
.dumpit = vdpa_nl_cmd_dev_get_dumpit,
},
{
.cmd = VDPA_CMD_DEV_CONFIG_GET,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_dev_config_get_doit,
.dumpit = vdpa_nl_cmd_dev_config_get_dumpit,
},
{
.cmd = VDPA_CMD_DEV_VSTATS_GET,
- .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
.doit = vdpa_nl_cmd_dev_stats_get_doit,
.flags = GENL_ADMIN_PERM,
},
--
2.41.0
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-07-27 17:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-27 17:57 [PATCH v3 0/4] vdpa: Enable strict validation for netlink ops Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 1/4] vdpa: Add features attr to vdpa_nl_policy for nlattr length check Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 2/4] vdpa: Add queue index " Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 3/4] vdpa: Add max vqp " Dragos Tatulea via Virtualization
2023-07-27 17:57 ` [PATCH 4/4] vdpa: Enable strict validation for netlinks ops Dragos Tatulea via Virtualization
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).