| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Apr 2022 03:33:31 +0000
From: "Michael Kelley (LINUX)" <mikelley@...rosoft.com>
To: "Andrea Parri (Microsoft)" <parri.andrea@...il.com>,
KY Srinivasan <kys@...rosoft.com>,
Haiyang Zhang <haiyangz@...rosoft.com>,
Stephen Hemminger <sthemmin@...rosoft.com>,
Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>,
Stefano Garzarella <sgarzare@...hat.com>,
David Miller <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>
CC: "linux-hyperv@...r.kernel.org" <linux-hyperv@...r.kernel.org>,
"virtualization@...ts.linux-foundation.org"
<virtualization@...ts.linux-foundation.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [RFC PATCH 2/6] hv_sock: Copy packets sent by Hyper-V out of the
ring buffer
From: Andrea Parri (Microsoft) <parri.andrea@...il.com> Sent: Wednesday, April 13, 2022 1:48 PM
>
> Pointers to VMbus packets sent by Hyper-V are used by the hv_sock driver
> within the gues VM. Hyper-V can send packets with erroneous values or
s/gues/guest/
> modify packet fields after they are processed by the guest. To defend
> against these scenarios, copy the incoming packet after validating its
> length and offset fields using hv_pkt_iter_{first,next}(). In this way,
> the packet can no longer be modified by the host.
>
> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@...il.com>
> ---
> net/vmw_vsock/hyperv_transport.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
> index 943352530936e..8c37d07017fc4 100644
> --- a/net/vmw_vsock/hyperv_transport.c
> +++ b/net/vmw_vsock/hyperv_transport.c
> @@ -78,6 +78,9 @@ struct hvs_send_buf {
> ALIGN((payload_len), 8) + \
> VMBUS_PKT_TRAILER_SIZE)
>
> +/* Upper bound on the size of a VMbus packet for hv_sock */
> +#define HVS_MAX_PKT_SIZE HVS_PKT_LEN(HVS_MTU_SIZE)
> +
> union hvs_service_id {
> guid_t srv_id;
>
> @@ -378,6 +381,8 @@ static void hvs_open_connection(struct vmbus_channel *chan)
> rcvbuf = ALIGN(rcvbuf, HV_HYP_PAGE_SIZE);
> }
>
> + chan->max_pkt_size = HVS_MAX_PKT_SIZE;
> +
> ret = vmbus_open(chan, sndbuf, rcvbuf, NULL, 0, hvs_channel_cb,
> conn_from_host ? new : sk);
> if (ret != 0) {
> @@ -602,7 +607,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk,
> struct msghdr *msg,
> return -EOPNOTSUPP;
>
> if (need_refill) {
> - hvs->recv_desc = hv_pkt_iter_first_raw(hvs->chan);
> + hvs->recv_desc = hv_pkt_iter_first(hvs->chan);
> if (!hvs->recv_desc)
> return -ENOBUFS;
> ret = hvs_update_recv_data(hvs);
> @@ -618,7 +623,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk,
> struct msghdr *msg,
>
> hvs->recv_data_len -= to_read;
> if (hvs->recv_data_len == 0) {
> - hvs->recv_desc = hv_pkt_iter_next_raw(hvs->chan, hvs->recv_desc);
> + hvs->recv_desc = hv_pkt_iter_next(hvs->chan, hvs->recv_desc);
> if (hvs->recv_desc) {
> ret = hvs_update_recv_data(hvs);
> if (ret)
> --
> 2.25.1
Powered by blists - more mailing lists