From nobody Sun Feb 8 13:39:52 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1710283065; cv=none; d=zohomail.com; s=zohoarc; b=URpTMEqHw56bRIpFjCWX+496Zp5LyqaIKJQtkrXyz03p3cZ6qwR+ykGtjQsKtoxsih4aa+sC6ZRFS03MF0FFOorf5SP4Yf1cTq7xnhI/6ut5xq7KqkpyK0hHspBaTiBXUhlkJ4QJsCT6lt+xc0F7Bl12Lr9ZY+w4OsQB13Iy28U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1710283065; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=E/KhWbfbprqpAcQoWcPKeg1kaPY6b8jfhMedPQoGKm8=; b=lZgfMjG5ta3uo9wfGXxQWPAq63G4aXaSqdtZjicUDQQoiiJSSFA9CfgbrFcWjAwp5ip87ac4DjDJfHnCQV+D+zXcCPnZb5QAVQVylExj68prVtfxGkzJcs2kOK3UPtgrq1zG9lM5lCOQO1eK42Y1UxCqlZALgrtBsgJwLc0WLF8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1710283065799701.495139276947; Tue, 12 Mar 2024 15:37:45 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rkAag-0006i1-M6; Tue, 12 Mar 2024 18:27:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rkAaZ-0005bo-RZ for qemu-devel@nongnu.org; Tue, 12 Mar 2024 18:27:16 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rkAaX-0004MR-Nt for qemu-devel@nongnu.org; Tue, 12 Mar 2024 18:27:15 -0400 Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-132-tQTwYCJ7MUKcnc-jK0zWFQ-1; Tue, 12 Mar 2024 18:27:11 -0400 Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-513b2e92c19so2692681e87.3 for ; Tue, 12 Mar 2024 15:27:11 -0700 (PDT) Received: from redhat.com ([2.52.134.16]) by smtp.gmail.com with ESMTPSA id k13-20020a1709065fcd00b00a44f0d99d58sm4209874ejv.208.2024.03.12.15.27.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Mar 2024 15:27:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1710282433; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=E/KhWbfbprqpAcQoWcPKeg1kaPY6b8jfhMedPQoGKm8=; b=iC1cdtnfNXiGKwMaCc9Kru5rtNL7QUCcG0FoTiEX3XDMlVgqSp33rPEs1L0DzdZfbef0Gf bJdnJeqaBZZo341zTY8hfjJKVM7ihuZorBJ6t31oYl4h7PhJBECWWjvKuhyQNsq/VKBfCw 4r0Oy19GrZ5+/jJSXOIbd+BvpBW3AIU= X-MC-Unique: tQTwYCJ7MUKcnc-jK0zWFQ-1 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710282430; x=1710887230; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=E/KhWbfbprqpAcQoWcPKeg1kaPY6b8jfhMedPQoGKm8=; b=gpICx4q33SRuXyp2KQQleH+R/O+8bshcDWSFjYhqvaQ4rHfiMaXH4nzPz70Xdqw/RJ i5/JaDc17K+rGM3zJSP0tBC/It1krZZA9pDa64Ry93mQQHEuW7LwxErj/6d9xML6YW6t sMOQUTzXDUmdEKk9JV7pBv6Jjm4k2mMqp7k6DXSvFPkxFLHUPXQCLa9TPZ2MNIK8LQNq 71t50Hcopo4DW2w87NRleovbh/oHodWGmRhYFWg+z+/7u7ZnUsMoDtXIJtxZcRxUmMaV 4gWbmXEh1sGdx9UbrpGSjppItx3rqgCinkJ57i5kXrE35fxoLxEpf5zrfnGYO8I6lZjZ 7BkA== X-Gm-Message-State: AOJu0YzvxtMYys6fM8JfdfNVnb0t714JL1NIZZMXzRCJ7ozE7fi2Mf15 5eIO9RIHR7HGGePFOmPjwDEUiU8059rW0yuhI30ueXJ9aBJkw8HB+Maf7najjOz1QxQ34pI/FqS YoXHph6gvJH8BNgLVh2jCuAR7akO1m786y+nXLsxeEdpIDJ1EQU1wkRZ3OFS0lqlwLKYq6QnbfH 1Zd9fm0WhzDd9Z0QEBimvUbaDzLTRxKD4b X-Received: by 2002:a19:7607:0:b0:513:1561:af08 with SMTP id c7-20020a197607000000b005131561af08mr6854754lff.60.1710282429658; Tue, 12 Mar 2024 15:27:09 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGKgJmjKml6kZ20bxUvmvsQSjKMsRjxuZ3sy0MwxgT1LG4tuunvV/OHWfgWZQN60VvmzpRn1Q== X-Received: by 2002:a19:7607:0:b0:513:1561:af08 with SMTP id c7-20020a197607000000b005131561af08mr6854742lff.60.1710282429129; Tue, 12 Mar 2024 15:27:09 -0700 (PDT) Date: Tue, 12 Mar 2024 18:27:05 -0400 From: "Michael S. Tsirkin" To: qemu-devel@nongnu.org Cc: Peter Maydell , Albert Esteve , Stefan Hajnoczi Subject: [PULL 31/68] hw/virtio: check owner for removing objects Message-ID: <043e127a126bb3ceb5fc753deee27d261fd0c5ce.1710282274.git.mst@redhat.com> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Mailer: git-send-email 2.27.0.106.g8ac3dc51b1 X-Mutt-Fcc: =sent Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=mst@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.687, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1710283067161100002 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Albert Esteve Shared objects lack spoofing protection. For VHOST_USER_BACKEND_SHARED_OBJECT_REMOVE messages received by the vhost-user interface, any backend was allowed to remove entries from the shared table just by knowing the UUID. Only the owner of the entry shall be allowed to removed their resources from the table. To fix that, add a check for all *SHARED_OBJECT_REMOVE messages received. A vhost device can only remove TYPE_VHOST_DEV entries that are owned by them, otherwise skip the removal, and inform the device that the entry has not been removed in the answer. Signed-off-by: Albert Esteve Acked-by: Stefan Hajnoczi Message-Id: <20240219143423.272012-2-aesteve@redhat.com> Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- hw/virtio/vhost-user.c | 21 +++++++++++++++++++-- docs/interop/vhost-user.rst | 4 +++- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c index a1eea8547e..9d654efd3d 100644 --- a/hw/virtio/vhost-user.c +++ b/hw/virtio/vhost-user.c @@ -1611,11 +1611,27 @@ vhost_user_backend_handle_shared_object_add(struct = vhost_dev *dev, } =20 static int -vhost_user_backend_handle_shared_object_remove(VhostUserShared *object) +vhost_user_backend_handle_shared_object_remove(struct vhost_dev *dev, + VhostUserShared *object) { QemuUUID uuid; =20 memcpy(uuid.data, object->uuid, sizeof(object->uuid)); + switch (virtio_object_type(&uuid)) { + case TYPE_VHOST_DEV: + { + struct vhost_dev *owner =3D virtio_lookup_vhost_device(&uuid); + if (dev !=3D owner) { + /* Not allowed to remove non-owned entries */ + return 0; + } + break; + } + default: + /* Not allowed to remove non-owned entries */ + return 0; + } + return virtio_remove_resource(&uuid); } =20 @@ -1794,7 +1810,8 @@ static gboolean backend_read(QIOChannel *ioc, GIOCond= ition condition, ret =3D vhost_user_backend_handle_shared_object_add(dev, &payload.= object); break; case VHOST_USER_BACKEND_SHARED_OBJECT_REMOVE: - ret =3D vhost_user_backend_handle_shared_object_remove(&payload.ob= ject); + ret =3D vhost_user_backend_handle_shared_object_remove(dev, + &payload.obje= ct); break; case VHOST_USER_BACKEND_SHARED_OBJECT_LOOKUP: ret =3D vhost_user_backend_handle_shared_object_lookup(dev->opaque= , ioc, diff --git a/docs/interop/vhost-user.rst b/docs/interop/vhost-user.rst index d1ed39dfa0..d8419fd2f1 100644 --- a/docs/interop/vhost-user.rst +++ b/docs/interop/vhost-user.rst @@ -1839,7 +1839,9 @@ is sent by the front-end. When the ``VHOST_USER_PROTOCOL_F_SHARED_OBJECT`` protocol feature has been successfully negotiated, this message can be submitted by the backend to remove themselves from to the virtio-dmabuf shared - table API. The shared table will remove the back-end device associated w= ith + table API. Only the back-end owning the entry (i.e., the one that first = added + it) will have permission to remove it. Otherwise, the message is ignored. + The shared table will remove the back-end device associated with the UUID. If ``VHOST_USER_PROTOCOL_F_REPLY_ACK`` is negotiated, and the back-end sets the ``VHOST_USER_NEED_REPLY`` flag, the front-end must res= pond with zero when operation is successfully completed, or non-zero otherwis= e. --=20 MST