lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20211006122709.27885-1-david@redhat.com>
Date:   Wed,  6 Oct 2021 14:27:09 +0200
From:   David Hildenbrand <david@...hat.com>
To:     linux-kernel@...r.kernel.org
Cc:     virtualization@...ts.linux-foundation.org,
        David Hildenbrand <david@...hat.com>,
        "Michael S. Tsirkin" <mst@...hat.com>,
        Jason Wang <jasowang@...hat.com>,
        Cornelia Huck <cohuck@...hat.com>,
        Marek Kedzierski <mkedzier@...hat.com>,
        Hui Zhu <teawater@...il.com>,
        Sebastien Boeuf <sebastien.boeuf@...el.com>,
        Pankaj Gupta <pankaj.gupta.linux@...il.com>,
        Wei Yang <richard.weiyang@...ux.alibaba.com>
Subject: [PATCH v2] virtio-mem: support VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE

The initial virtio-mem spec states that while unplugged memory should not
be read, the device still has to allow for reading unplugged memory inside
the usable region. The primary motivation for this default handling was
to simplify bringup of virtio-mem, because there were corner cases where
Linux might have accidentially read unplugged memory inside added Linux
memory blocks.

In the meantime, we:
* Removed /dev/kmem
* Disallowed access to virtio-mem device memory via /dev/mem
* Sanitized access to virtio-mem device memory via /proc/kcore
* Sanitized access to virtio-mem device memory via /proc/vmcore

"Accidential" access to unplugged memory is no longer possible; we can
support the new VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE feature that will be
required by some hypervisors implementing virtio-mem in the near future.

Cc: "Michael S. Tsirkin" <mst@...hat.com>
Cc: Jason Wang <jasowang@...hat.com>
Cc: Cornelia Huck <cohuck@...hat.com>
Cc: Marek Kedzierski <mkedzier@...hat.com>
Cc: Hui Zhu <teawater@...il.com>
Cc: Sebastien Boeuf <sebastien.boeuf@...el.com>
Cc: Pankaj Gupta <pankaj.gupta.linux@...il.com>
Cc: Wei Yang <richard.weiyang@...ux.alibaba.com>
Signed-off-by: David Hildenbrand <david@...hat.com>
---

Michael, I want this patch in v5.16 if the following two series that
are already queued by Andrew via the -MM tree go into v5.16 (which I
I assume but we never know :) ):
* [PATCH v5 0/3] virtio-mem: disallow mapping virtio-mem memory via
  /dev/mem
  https://lkml.kernel.org/r/20210920142856.17758-1-david@redhat.com
* [PATCH v2 0/9] proc/vmcore: sanitize access to virtio-mem memory
  https://lkml.kernel.org/r/20211005121430.30136-1-david@redhat.com

This is the follow-up of:
  https://lkml.kernel.org/r/20210215122143.27608-1-david@redhat.com
The spec updated was proposed in:
  https://lists.oasis-open.org/archives/virtio-comment/202109/msg00027.html

v1 -> v2:
- Now that we handle /dev/mem and /proc/vmcore cleaner, we can get
  simplify and just support the flag unconditionally

---
 drivers/virtio/virtio_mem.c     | 1 +
 include/uapi/linux/virtio_mem.h | 9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/virtio/virtio_mem.c b/drivers/virtio/virtio_mem.c
index bef8ad6bf466..78dfdc9c98a1 100644
--- a/drivers/virtio/virtio_mem.c
+++ b/drivers/virtio/virtio_mem.c
@@ -2758,6 +2758,7 @@ static unsigned int virtio_mem_features[] = {
 #if defined(CONFIG_NUMA) && defined(CONFIG_ACPI_NUMA)
 	VIRTIO_MEM_F_ACPI_PXM,
 #endif
+	VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE,
 };
 
 static const struct virtio_device_id virtio_mem_id_table[] = {
diff --git a/include/uapi/linux/virtio_mem.h b/include/uapi/linux/virtio_mem.h
index 70e01c687d5e..e9122f1d0e0c 100644
--- a/include/uapi/linux/virtio_mem.h
+++ b/include/uapi/linux/virtio_mem.h
@@ -68,9 +68,10 @@
  * explicitly triggered (VIRTIO_MEM_REQ_UNPLUG).
  *
  * There are no guarantees what will happen if unplugged memory is
- * read/written. Such memory should, in general, not be touched. E.g.,
- * even writing might succeed, but the values will simply be discarded at
- * random points in time.
+ * read/written. In general, unplugged memory should not be touched, because
+ * the resulting action is undefined. There is one exception: without
+ * VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE, unplugged memory inside the usable
+ * region can be read, to simplify creation of memory dumps.
  *
  * It can happen that the device cannot process a request, because it is
  * busy. The device driver has to retry later.
@@ -87,6 +88,8 @@
 
 /* node_id is an ACPI PXM and is valid */
 #define VIRTIO_MEM_F_ACPI_PXM		0
+/* unplugged memory must not be accessed */
+#define VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE	1
 
 
 /* --- virtio-mem: guest -> host requests --- */

base-commit: 9e1ff307c779ce1f0f810c7ecce3d95bbae40896
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ