lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 28 Sep 2020 14:35:04 +0200
From:   Greg Kurz <groug@...d.org>
To:     "Michael S. Tsirkin" <mst@...hat.com>,
        Jason Wang <jasowang@...hat.com>
Cc:     kvm@...r.kernel.org, virtualization@...ts.linux-foundation.org,
        netdev@...r.kernel.org, Laurent Vivier <laurent@...ier.eu>,
        David Gibson <david@...son.dropbear.id.au>
Subject: [PATCH] vhost: Don't call vq_access_ok() when using IOTLB

When the IOTLB device is enabled, the vring addresses we get from
userspace are GIOVAs. It is thus wrong to pass them to vq_access_ok()
which only takes HVAs. The IOTLB map is likely empty at this stage,
so there isn't much that can be done with these GIOVAs. Access validation
will be performed at IOTLB prefetch time anyway.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1883084
Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API")
Cc: jasowang@...hat.com
CC: stable@...r.kernel.org # 4.14+
Signed-off-by: Greg Kurz <groug@...d.org>
---
 drivers/vhost/vhost.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index b45519ca66a7..6296e33df31d 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -1509,7 +1509,10 @@ static long vhost_vring_set_addr(struct vhost_dev *d,
 	 * If it is not, we don't as size might not have been setup.
 	 * We will verify when backend is configured. */
 	if (vq->private_data) {
-		if (!vq_access_ok(vq, vq->num,
+		/* If an IOTLB device is present, the vring addresses are
+		 * GIOVAs. Access will be validated during IOTLB prefetch. */
+		if (!vq->iotlb &&
+		    !vq_access_ok(vq, vq->num,
 			(void __user *)(unsigned long)a.desc_user_addr,
 			(void __user *)(unsigned long)a.avail_user_addr,
 			(void __user *)(unsigned long)a.used_user_addr))


Powered by blists - more mailing lists