| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dc8e7f6d-9aa6-58c6-97f7-c30391aeac5d@nvidia.com>
Date: Mon, 23 Aug 2021 11:07:00 +0300
From: Max Gurtovoy <mgurtovoy@...dia.com>
To: Yongji Xie <xieyongji@...edance.com>
CC: "Michael S. Tsirkin" <mst@...hat.com>,
Jason Wang <jasowang@...hat.com>,
Stefan Hajnoczi <stefanha@...hat.com>,
virtualization <virtualization@...ts.linux-foundation.org>,
<linux-block@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v5] virtio-blk: Add validation for block size in config
space
On 8/23/2021 7:31 AM, Yongji Xie wrote:
> On Mon, Aug 23, 2021 at 7:17 AM Max Gurtovoy <mgurtovoy@...dia.com> wrote:
>>
>> On 8/9/2021 1:16 PM, Xie Yongji wrote:
>>> An untrusted device might presents an invalid block size
>>> in configuration space. This tries to add validation for it
>>> in the validate callback and clear the VIRTIO_BLK_F_BLK_SIZE
>>> feature bit if the value is out of the supported range.
>> This is not clear to me. What is untrusted device ? is it a buggy device ?
>>
> A buggy device, the devices in an encrypted VM, or a userspace device
> created by VDUSE [1].
>
> [1] https://lore.kernel.org/kvm/20210818120642.165-1-xieyongji@bytedance.com/
if it's a userspace device, why don't you fix its control path code
instead of adding workarounds in the kernel driver ?
>
>> What is the return value for the blk_size in this case that you try to
>> override ?
>>
> The value that is larger than PAGE_SIZE. I think the block layer can
> not handle the block size that is larger than PAGE_SIZE correctly,
> e.g. in block_read_full_page().
>
>>> And we also double check the value in virtblk_probe() in
>>> case that it's changed after the validation.
>>>
>>> Signed-off-by: Xie Yongji <xieyongji@...edance.com>
>>> ---
>>> drivers/block/virtio_blk.c | 39 +++++++++++++++++++++++++++++++++------
>>> 1 file changed, 33 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
>>> index 4b49df2dfd23..afb37aac09e8 100644
>>> --- a/drivers/block/virtio_blk.c
>>> +++ b/drivers/block/virtio_blk.c
>>> @@ -692,6 +692,28 @@ static const struct blk_mq_ops virtio_mq_ops = {
>>> static unsigned int virtblk_queue_depth;
>>> module_param_named(queue_depth, virtblk_queue_depth, uint, 0444);
>>>
>>> +static int virtblk_validate(struct virtio_device *vdev)
>>> +{
>>> + u32 blk_size;
>>> +
>>> + if (!vdev->config->get) {
>>> + dev_err(&vdev->dev, "%s failure: config access disabled\n",
>>> + __func__);
>>> + return -EINVAL;
>>> + }
>>> +
>>> + if (!virtio_has_feature(vdev, VIRTIO_BLK_F_BLK_SIZE))
>>> + return 0;
>>> +
>>> + blk_size = virtio_cread32(vdev,
>>> + offsetof(struct virtio_blk_config, blk_size));
>>> +
>>> + if (blk_size < SECTOR_SIZE || blk_size > PAGE_SIZE)
>>> + __virtio_clear_bit(vdev, VIRTIO_BLK_F_BLK_SIZE);
>> is it PAGE_SIZE or SZ_4K ?
>>
>> Do we support a 64K blk size (PPC PAGE_SIZE)
>>
> I think PAGE_SIZE should be OK here. I didn't see a hard 4K limitation
> in the kernel. NBD did the same check:
>
> static int nbd_set_size(struct nbd_device *nbd, loff_t bytesize, loff_t blksize)
> {
> if (!blksize)
> blksize = NBD_DEF_BLKSIZE;
> if (blksize < 512 || blksize > PAGE_SIZE || !is_power_of_2(blksize))
> return -EINVAL;
>
> Thanks,
> Yongji
Powered by blists - more mailing lists