| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGxU2F6jSBM-VKU6vaojvBF_4zTWndmaQ4rFvLxds6gOPjXpcA@mail.gmail.com>
Date: Thu, 17 Jul 2025 11:25:00 +0200
From: Stefano Garzarella <sgarzare@...hat.com>
To: Jason Wang <jasowang@...hat.com>
Cc: Will Deacon <will@...nel.org>, linux-kernel@...r.kernel.org,
Keir Fraser <keirf@...gle.com>, Steven Moreland <smoreland@...gle.com>,
Frederick Mayle <fmayle@...gle.com>, Stefan Hajnoczi <stefanha@...hat.com>,
"Michael S. Tsirkin" <mst@...hat.com>, Eugenio Pérez <eperezma@...hat.com>,
netdev@...r.kernel.org, virtualization@...ts.linux.dev,
stable@...r.kernel.org
Subject: Re: [PATCH v4 1/9] vhost/vsock: Avoid allocating arbitrarily-sized SKBs
On Thu, 17 Jul 2025 at 11:10, Jason Wang <jasowang@...hat.com> wrote:
>
> On Thu, Jul 17, 2025 at 5:01 PM Will Deacon <will@...nel.org> wrote:
> >
> > vhost_vsock_alloc_skb() returns NULL for packets advertising a length
> > larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However,
> > this is only checked once the SKB has been allocated and, if the length
> > in the packet header is zero, the SKB may not be freed immediately.
>
> Can this be triggered from the guest? (I guess yes) Did we need to
> consider it as a security issue?
Yep, but then the packet would still be discarded later, and the
memory released, so it can only increase the pressure on allocation,
but the guest can still do so by sending packets for example on an
unopened port.
Stefano
>
> >
> > Hoist the size check before the SKB allocation so that an iovec larger
> > than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected
> > outright. The subsequent check on the length field in the header can
> > then simply check that the allocated SKB is indeed large enough to hold
> > the packet.
> >
> > Cc: <stable@...r.kernel.org>
> > Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
> > Reviewed-by: Stefano Garzarella <sgarzare@...hat.com>
> > Signed-off-by: Will Deacon <will@...nel.org>
> > ---
> > drivers/vhost/vsock.c | 6 ++++--
> > 1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
> > index 802153e23073..66a0f060770e 100644
> > --- a/drivers/vhost/vsock.c
> > +++ b/drivers/vhost/vsock.c
> > @@ -344,6 +344,9 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq,
> >
> > len = iov_length(vq->iov, out);
> >
> > + if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM)
> > + return NULL;
> > +
> > /* len contains both payload and hdr */
> > skb = virtio_vsock_alloc_skb(len, GFP_KERNEL);
> > if (!skb)
> > @@ -367,8 +370,7 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq,
> > return skb;
> >
> > /* The pkt is too big or the length in the header is invalid */
> > - if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE ||
> > - payload_len + sizeof(*hdr) > len) {
> > + if (payload_len + sizeof(*hdr) > len) {
> > kfree_skb(skb);
> > return NULL;
> > }
> > --
> > 2.50.0.727.gbf7dc18ff4-goog
> >
>
> Thanks
>
Powered by blists - more mailing lists