| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211023171627-mutt-send-email-mst@kernel.org>
Date: Sat, 23 Oct 2021 17:31:23 -0400
From: "Michael S. Tsirkin" <mst@...hat.com>
To: Jason Wang <jasowang@...hat.com>
Cc: virtualization@...ts.linux-foundation.org,
linux-kernel@...r.kernel.org, f.hetzelt@...berlin.de,
david.kaplan@....com, konrad.wilk@...cle.com
Subject: Re: [PATCH V3 00/10] More virtio hardening
On Tue, Oct 19, 2021 at 03:01:42PM +0800, Jason Wang wrote:
> Hi All:
>
> This series treis to do more hardening for virito.
OK. So patches 7-10 caused a crash in virtio-blk.
I'm close to sure it's patch 10 actually, and forcing
validation seems to fix the crash.
I also suspect it has something to do with the fact that
blk submits requests in the middle of the probe function.
picked up 1-6 for now.
> patch 1 validates the num_queues for virio-blk device.
> patch 2 validates max_nr_ports for virito-console device.
> patch 3-5 harden virtio-pci interrupts to make sure no exepcted
> interrupt handler is tiggered. If this makes sense we can do similar
> things in other transport drivers.
> patch 6-7 validate used ring length.
> patch 8-10 let the driver to validate the used length instead of the
> virtio core when possible.
>
> Smoking test on blk/net with packed=on/off and iommu_platform=on/off.
>
> Please review.
>
> Changes since V2:
> - don't validate max_nr_ports in .validate()
> - fail the probe instead of trying to work when blk/console returns
> invalid number of queues/ports
> - use READ_ONCE() instead of smp_load_acquire() for checking
> intx_soft_enabled
> - use "suppress_used_validation" instead of "validate_used"
>
> Changes since V1:
> - fix and document the memory ordering around the intx_soft_enabled
> when enabling and disabling INTX interrupt
> - for the driver that can validate the used length, virtio core
> won't even try to allocate auxilary arrays and validate the used length
> - tweak the commit log
> - fix typos
>
> Jason Wang (10):
> virtio-blk: validate num_queues during probe
> virtio_console: validate max_nr_ports before trying to use it
> virtio_config: introduce a new .enable_cbs method
> virtio_pci: harden MSI-X interrupts
> virtio-pci: harden INTX interrupts
> virtio_ring: fix typos in vring_desc_extra
> virtio_ring: validate used buffer length
> virtio-net: don't let virtio core to validate used length
> virtio-blk: don't let virtio core to validate used length
> virtio-scsi: don't let virtio core to validate used buffer length
>
> drivers/block/virtio_blk.c | 5 +++
> drivers/char/virtio_console.c | 9 +++++
> drivers/net/virtio_net.c | 1 +
> drivers/scsi/virtio_scsi.c | 1 +
> drivers/virtio/virtio_pci_common.c | 48 ++++++++++++++++++++----
> drivers/virtio/virtio_pci_common.h | 7 +++-
> drivers/virtio/virtio_pci_legacy.c | 5 ++-
> drivers/virtio/virtio_pci_modern.c | 6 ++-
> drivers/virtio/virtio_ring.c | 60 +++++++++++++++++++++++++++++-
> include/linux/virtio.h | 2 +
> include/linux/virtio_config.h | 6 +++
> 11 files changed, 135 insertions(+), 15 deletions(-)
>
> --
> 2.25.1
Powered by blists - more mailing lists