lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Aug 2021 14:59:41 +0800 From: Jason Wang <jasowang@...hat.com> To: Yongji Xie <xieyongji@...edance.com> Cc: "Michael S. Tsirkin" <mst@...hat.com>, Stefan Hajnoczi <stefanha@...hat.com>, virtualization <virtualization@...ts.linux-foundation.org>, linux-block@...r.kernel.org, linux-kernel <linux-kernel@...r.kernel.org> Subject: Re: [PATCH v5] virtio-blk: Add validation for block size in config space 在 2021/8/10 下午12:59, Yongji Xie 写道: > On Tue, Aug 10, 2021 at 11:05 AM Jason Wang <jasowang@...hat.com> wrote: >> >> 在 2021/8/9 下午6:16, Xie Yongji 写道: >>> An untrusted device might presents an invalid block size >>> in configuration space. This tries to add validation for it >>> in the validate callback and clear the VIRTIO_BLK_F_BLK_SIZE >>> feature bit if the value is out of the supported range. >>> >>> And we also double check the value in virtblk_probe() in >>> case that it's changed after the validation. >>> >>> Signed-off-by: Xie Yongji <xieyongji@...edance.com> >>> --- >>> drivers/block/virtio_blk.c | 39 +++++++++++++++++++++++++++++++++------ >>> 1 file changed, 33 insertions(+), 6 deletions(-) >>> >>> diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c >>> index 4b49df2dfd23..afb37aac09e8 100644 >>> --- a/drivers/block/virtio_blk.c >>> +++ b/drivers/block/virtio_blk.c >>> @@ -692,6 +692,28 @@ static const struct blk_mq_ops virtio_mq_ops = { >>> static unsigned int virtblk_queue_depth; >>> module_param_named(queue_depth, virtblk_queue_depth, uint, 0444); >>> >>> +static int virtblk_validate(struct virtio_device *vdev) >>> +{ >>> + u32 blk_size; >>> + >>> + if (!vdev->config->get) { >>> + dev_err(&vdev->dev, "%s failure: config access disabled\n", >>> + __func__); >>> + return -EINVAL; >>> + } >>> + >>> + if (!virtio_has_feature(vdev, VIRTIO_BLK_F_BLK_SIZE)) >>> + return 0; >>> + >>> + blk_size = virtio_cread32(vdev, >>> + offsetof(struct virtio_blk_config, blk_size)); >>> + >>> + if (blk_size < SECTOR_SIZE || blk_size > PAGE_SIZE) >>> + __virtio_clear_bit(vdev, VIRTIO_BLK_F_BLK_SIZE); >> >> I wonder if it's better to just fail here as what we did for probe(). >> > Looks like we don't need to do that since we already clear the > VIRTIO_BLK_F_BLK_SIZE to tell the device that we don't use the block > size in configuration space. Just like what we did in > virtnet_validate(). > > Thanks, > Yongji Ok, so Acked-by: Jason Wang <jasowang@...hat.com> >
Powered by blists - more mailing lists