From nobody Sun Sep 14 16:46:46 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 569EAC46467 for ; Fri, 20 Jan 2023 04:36:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230211AbjATEgd (ORCPT ); Thu, 19 Jan 2023 23:36:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44734 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229982AbjATEgC (ORCPT ); Thu, 19 Jan 2023 23:36:02 -0500 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52DD9BC8B2 for ; Thu, 19 Jan 2023 20:33:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674189238; x=1705725238; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=rYq6vhVbEN0C0wtg/aG1JBfgnzFIZAFF2Xt8UqDJh9o=; b=ak1dukcsXVxzzzj/T9FTs9vDePHlwIZ8xVA+GpPqUekQLimUrP/qinSM GUvPmSkIUHZ5TuYenTVb5Z8P9Qvm7FSjKm/o9nLfY7DqVFKlaZ0RZxJLs w6vs0SiMcFeynBT7xOOB/XjzFsrfIkyH8BYCszk/+q9YXu6HtBWy2+UV6 XWqDUZU8EYabuHuWF4pYHmAMo79ZwhnnQ4A1WM34/2TINkapXJp9JE/Kf kF3uaY4ksEA/kntzUMoklgR6HmshZTAqusoidW8haNQWaN/hh8kdAezmx SKuTZc4VILdmaa6GrXw7vf0ZFYwUcYaBESQRZs1rGUG0eoOhlLpLSYLya w==; X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="411526091" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="411526091" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 05:57:06 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993908" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993908" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:03 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Andi Kleen , Alexander Shishkin , Amit Shah , Arnd Bergmann , Greg Kroah-Hartman Subject: [PATCH v1 1/6] virtio console: Harden multiport against invalid host input Date: Thu, 19 Jan 2023 15:57:16 +0200 Message-Id: <20230119135721.83345-2-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Andi Kleen It's possible for the host to set the multiport flag, but pass in 0 multiports, which results in: BUG: KASAN: slab-out-of-bounds in init_vqs+0x244/0x6c0 drivers/char/virtio_= console.c:1878 Write of size 8 at addr ffff888001cc24a0 by task swapper/1 CPU: 0 PID: 1 Comm: swapper Not tainted 5.15.0-rc1-140273-gaab0bb9fbaa1-dir= ty #588 Call Trace: init_vqs+0x244/0x6c0 drivers/char/virtio_console.c:1878 virtcons_probe+0x1a3/0x5b0 drivers/char/virtio_console.c:2042 virtio_dev_probe+0x2b9/0x500 drivers/virtio/virtio.c:263 call_driver_probe drivers/base/dd.c:515 really_probe+0x1c9/0x5b0 drivers/base/dd.c:601 really_probe_debug drivers/base/dd.c:694 __driver_probe_device+0x10d/0x1f0 drivers/base/dd.c:754 driver_probe_device+0x68/0x150 drivers/base/dd.c:786 __driver_attach+0xca/0x200 drivers/base/dd.c:1145 bus_for_each_dev+0x108/0x190 drivers/base/bus.c:301 driver_attach+0x30/0x40 drivers/base/dd.c:1162 bus_add_driver+0x325/0x3c0 drivers/base/bus.c:618 driver_register+0xf3/0x1d0 drivers/base/driver.c:171 ... Add a suitable sanity check. Signed-off-by: Andi Kleen Signed-off-by: Alexander Shishkin Cc: Amit Shah Cc: Arnd Bergmann Cc: Greg Kroah-Hartman --- drivers/char/virtio_console.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index 6a821118d553..f4fd5fe7cd3a 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -1843,6 +1843,9 @@ static int init_vqs(struct ports_device *portdev) int err; =20 nr_ports =3D portdev->max_nr_ports; + if (use_multiport(portdev) && nr_ports < 1) + return -EINVAL; + nr_queues =3D use_multiport(portdev) ? (nr_ports + 1) * 2 : 2; =20 vqs =3D kmalloc_array(nr_queues, sizeof(struct virtqueue *), GFP_KERNEL); --=20 2.39.0 From nobody Sun Sep 14 16:46:46 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97427C38159 for ; Fri, 20 Jan 2023 04:36:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230217AbjATEgf (ORCPT ); Thu, 19 Jan 2023 23:36:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44752 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229991AbjATEgD (ORCPT ); Thu, 19 Jan 2023 23:36:03 -0500 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73E54C13E1 for ; Thu, 19 Jan 2023 20:33:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674189238; x=1705725238; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=s0MLNXyh3mQKki8IqbR9mf6okk8J+XoJLrOwzthuHvM=; b=a/IFoQ0DKbYNsYnpzHz8EzqWL3CwX22sWNu89nIbaDyoiBCUJhU9uQbq tunBQNifxpRXmAUqxKo65dkYJzI6NVFo/I3A6bbOKzTk5Q7nD5J64o4PE DnIXJT16B5KkEfs4KlSCXhEc2wqvwuKQBT3kBR6G5qn6OMueQUbtToEi4 M47c5UHViIbpIoUZ4/BKDf0+rhb1DT0KWdq5W2+L3gX1zODwd+70Czo7Y 6FhJ6tOmDxUVJXfWs9rNn+ipdQbD4+sGSKSFWPNBdneBamtw0eVhS4Ott j8v3DCvyWCc5dAJEmlCVLAAPExfjOPob2rzMAjmyZWPSMJU6V6ISN96Qi w==; X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="411526113" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="411526113" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 05:57:09 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993915" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993915" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:06 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Andi Kleen , Alexander Shishkin , Amit Shah , Arnd Bergmann , Greg Kroah-Hartman Subject: [PATCH v1 2/6] virtio console: Harden port adding Date: Thu, 19 Jan 2023 15:57:17 +0200 Message-Id: <20230119135721.83345-3-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Andi Kleen The ADD_PORT operation reads and sanity checks the port id multiple times from the untrusted host. This is not safe because a malicious host could change it between reads. Read the port id only once and cache it for subsequent uses. Signed-off-by: Andi Kleen Signed-off-by: Alexander Shishkin Cc: Amit Shah Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Reviewed-by: Greg Kroah-Hartman --- drivers/char/virtio_console.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index f4fd5fe7cd3a..6599c2956ba4 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -1563,10 +1563,13 @@ static void handle_control_message(struct virtio_de= vice *vdev, struct port *port; size_t name_size; int err; + unsigned id; =20 cpkt =3D (struct virtio_console_control *)(buf->buf + buf->offset); =20 - port =3D find_port_by_id(portdev, virtio32_to_cpu(vdev, cpkt->id)); + /* Make sure the host cannot change id under us */ + id =3D virtio32_to_cpu(vdev, READ_ONCE(cpkt->id)); + port =3D find_port_by_id(portdev, id); if (!port && cpkt->event !=3D cpu_to_virtio16(vdev, VIRTIO_CONSOLE_PORT_ADD)) { /* No valid header at start of buffer. Drop it. */ @@ -1583,15 +1586,14 @@ static void handle_control_message(struct virtio_de= vice *vdev, send_control_msg(port, VIRTIO_CONSOLE_PORT_READY, 1); break; } - if (virtio32_to_cpu(vdev, cpkt->id) >=3D - portdev->max_nr_ports) { + if (id >=3D portdev->max_nr_ports) { dev_warn(&portdev->vdev->dev, "Request for adding port with " "out-of-bound id %u, max. supported id: %u\n", cpkt->id, portdev->max_nr_ports - 1); break; } - add_port(portdev, virtio32_to_cpu(vdev, cpkt->id)); + add_port(portdev, id); break; case VIRTIO_CONSOLE_PORT_REMOVE: unplug_port(port); --=20 2.39.0 From nobody Sun Sep 14 16:46:46 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0677EC46467 for ; Thu, 19 Jan 2023 18:17:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230074AbjASSRA (ORCPT ); Thu, 19 Jan 2023 13:17:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43302 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229895AbjASSQ5 (ORCPT ); Thu, 19 Jan 2023 13:16:57 -0500 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F0A954A1F3 for ; Thu, 19 Jan 2023 10:16:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674152216; x=1705688216; h=resent-from:resent-date:resent-message-id:resent-to:from: to:cc:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=fPAfZ1maazfHk0jrppfuINceGDxLy9M8OHmBMIa7oqg=; b=OwSUSMQiGbZ1OvPiqB/irTMmCZZktz/3IQNc8jHTgzPw3RqUFMVza5WP h7+O57pNNA5rRoF4oGYmuGVDwrsAoTD55x0hw4bILyyMyzmWO7VQnpjOc 42ms7NlJ6AJoObf54cvStrV8A84QA8nIPQwWoRTEYyAULeslkE33WkBuc WkgR6g2cR5e6Z5QEfS8l+gQQYDzJB8S5ba2pxOKcg5NW1a2rozxn2BKu7 tiYEnqtuaXPh74VbRfzFc+Sz2Tq9FD7JrUzSyR3GrTKQfx3J+BDWD/gAy 5pX5XFHlhQ42TvCcct9ztW1vp4cV79kqA+BpypzLLpbh6FGukft4KK6NC w==; X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="305045763" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="305045763" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 10:16:56 -0800 X-ExtLoopCount2: 2 from 10.237.72.184 X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="660295636" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="660295636" Received: from ubik.fi.intel.com (HELO ubik) ([10.237.72.184]) by orsmga002.jf.intel.com with ESMTP; 19 Jan 2023 10:16:55 -0800 Received: from ash by ubik with local (Exim 4.96) (envelope-from ) id 1pIZSm-00EPOo-1O for linux-kernel@vger.kernel.org; Thu, 19 Jan 2023 20:16:36 +0200 Received: from linux.intel.com [10.54.29.200] by ubik.fi.intel.com with IMAP (fetchmail-6.4.29) for (single-drop); Thu, 19 Jan 2023 15:59:05 +0200 (EET) Received: from fmsmga005.fm.intel.com (fmsmga005.fm.intel.com [10.253.24.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by linux.intel.com (Postfix) with ESMTPS id B8D5F580AE0; Thu, 19 Jan 2023 05:57:12 -0800 (PST) X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993922" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993922" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:09 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Andi Kleen , Alexander Shishkin , Christian Schoenebeck , Eric Van Hensbergen , Latchesar Ionkov , Dominique Martinet , v9fs-developer@lists.sourceforge.net Subject: [PATCH v1 3/6] virtio 9p: Fix an overflow Date: Thu, 19 Jan 2023 15:57:18 +0200 Message-Id: <20230119135721.83345-4-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Andi Kleen tag_len is read as a u16 from the untrusted host. It could overflow in the memory allocation, which would lead to a too small buffer. Some later loops use it when extended to 32bit, so they could overflow the too small buffer. Make sure to do the arithmetic for the buffer size in 32bit to avoid wrapping. Signed-off-by: Andi Kleen Signed-off-by: Alexander Shishkin Reviewed-by: Christian Schoenebeck Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Dominique Martinet Cc: v9fs-developer@lists.sourceforge.net --- net/9p/trans_virtio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 3c27ffb781e3..a78e4d80e5ba 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -629,7 +629,7 @@ static int p9_virtio_probe(struct virtio_device *vdev) err =3D -EINVAL; goto out_free_vq; } - tag =3D kzalloc(tag_len + 1, GFP_KERNEL); + tag =3D kzalloc((u32)tag_len + 1, GFP_KERNEL); if (!tag) { err =3D -ENOMEM; goto out_free_vq; --=20 2.39.0 From nobody Sun Sep 14 16:46:46 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1B29C38159 for ; Fri, 20 Jan 2023 04:36:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230224AbjATEgi (ORCPT ); Thu, 19 Jan 2023 23:36:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44748 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229993AbjATEgD (ORCPT ); Thu, 19 Jan 2023 23:36:03 -0500 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C49D7BCE02 for ; Thu, 19 Jan 2023 20:34:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674189241; x=1705725241; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=vkH/geR8Ac3bg/SlAe70kTG4lkCo5fDV5PnPvmhuzPY=; b=HvLQullaSPXwiO1mrkot1EBX5aqFeZLkBT+1VhzzjqnL8pJ6pE89+tPY mcnOipP5GafzlL4o3Vhm2gKpzCy4hCHSe9yrsKL+Srvkrqg5R6Y92vQJl Ah1xDrdQCJigzGQiAMM3yDvfrTwIbCO5n6Rg8g55LAa3e53nvgaO1dIzE 7J3e47MkyEGKBA67QzenUuze0F3lJZs+4gLp6lbUBYCtsO3dgycLxGI0q 8Bzt1UlR78qtnSlX3LVOMkvebxMi7d8RdY1dplG4gd0z1w3GsCRXNTP0A SbwtU5eOpdY10ndbITyOu8Is3JvKGPYFquzRfkHvY18vGsK3UUvqpYe2h g==; X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="411526144" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="411526144" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 05:57:15 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993960" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993960" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:12 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Alexander Shishkin , Amit Shah , Arnd Bergmann , Greg Kroah-Hartman Subject: [PATCH v1 4/6] virtio console: Harden control message handling Date: Thu, 19 Jan 2023 15:57:19 +0200 Message-Id: <20230119135721.83345-5-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" In handle_control_message(), we look at the ->event field twice, which gives a malicious VMM a window in which to switch it from PORT_ADD to PORT_REMOVE, triggering a null dereference further down the line: RIP: 0010:spin_lock_irq ./include/linux/spinlock.h:388 RIP: 0010:unplug_port+0x9/0x150 drivers/char/virtio_console.c:1512 Call Trace: handle_control_message+0x108/0x2c0 drivers/char/virtio_console.c:1600 elfcorehdr_read+0x40/0x40 ??:? process_one_work+0x1b4/0x310 kernel/workqueue.c:2297 worker_thread+0x5c/0x3a0 kernel/workqueue.c:2444 kthread+0x120/0x140 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Read the event code once instead, basing all following decisions on the same value. Signed-off-by: Alexander Shishkin Cc: Amit Shah Cc: Arnd Bergmann Cc: Greg Kroah-Hartman --- drivers/char/virtio_console.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index 6599c2956ba4..62f69f949cb7 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -1563,22 +1563,22 @@ static void handle_control_message(struct virtio_de= vice *vdev, struct port *port; size_t name_size; int err; - unsigned id; + unsigned id, event; =20 cpkt =3D (struct virtio_console_control *)(buf->buf + buf->offset); =20 - /* Make sure the host cannot change id under us */ + /* Make sure the host cannot change id or event under us */ id =3D virtio32_to_cpu(vdev, READ_ONCE(cpkt->id)); + event =3D virtio16_to_cpu(vdev, cpkt->event); port =3D find_port_by_id(portdev, id); - if (!port && - cpkt->event !=3D cpu_to_virtio16(vdev, VIRTIO_CONSOLE_PORT_ADD)) { + if (!port && event !=3D VIRTIO_CONSOLE_PORT_ADD) { /* No valid header at start of buffer. Drop it. */ dev_dbg(&portdev->vdev->dev, "Invalid index %u in control packet\n", cpkt->id); return; } =20 - switch (virtio16_to_cpu(vdev, cpkt->event)) { + switch (event) { case VIRTIO_CONSOLE_PORT_ADD: if (port) { dev_dbg(&portdev->vdev->dev, --=20 2.39.0 From nobody Sun Sep 14 16:46:46 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4C0BC004D4 for ; Thu, 19 Jan 2023 18:17:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230120AbjASSRY (ORCPT ); Thu, 19 Jan 2023 13:17:24 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230206AbjASSRO (ORCPT ); Thu, 19 Jan 2023 13:17:14 -0500 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 970B193721 for ; Thu, 19 Jan 2023 10:17:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674152230; x=1705688230; h=resent-from:resent-date:resent-message-id:resent-to:from: to:cc:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=UJGdQbNU1p0G34DMECtmIGs9ax802RzLD9JfEvjugQM=; b=bwMRsSVF0KO8ug6TVn2JPlp5S2PutUbXS5Fw11J7gYWFtYBNgZwnojEq oDYhdBM9ReZ/40NNza2SSmwC1E9rsRxh2rmFfVKuXZn5sBV2PEWL79PqB xhqGban8oQCNdrWYzVY771uGlGJumb4kYW8I9vdROyvEu+1cjNW3Qdtl7 GxW88lhkvyiaVrpJyZfFPmmEGasiAoYvK1C0ebyIMiOZnUoFM/X4GmmBW HOZAg6MBNsuMcPcuCu33zeOHPKkxmxlw8oDwy8zyRrtjRhBQQu/x3HAko 4jdt5l3v0NWI+Nhs/4pg3KB4ZH19122EVtG4qSepLWcSfcad8hdyJ8eUH A==; X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="389888357" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="389888357" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 10:16:31 -0800 X-ExtLoopCount2: 2 from 10.237.72.184 X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="768338522" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="768338522" Received: from ubik.fi.intel.com (HELO ubik) ([10.237.72.184]) by fmsmga002.fm.intel.com with ESMTP; 19 Jan 2023 10:16:30 -0800 Received: from ash by ubik with local (Exim 4.96) (envelope-from ) id 1pIZSN-00EPLf-25 for linux-kernel@vger.kernel.org; Thu, 19 Jan 2023 20:16:11 +0200 Received: from linux.intel.com [10.54.29.200] by ubik.fi.intel.com with IMAP (fetchmail-6.4.29) for (single-drop); Thu, 19 Jan 2023 15:59:07 +0200 (EET) Received: from fmsmga005.fm.intel.com (fmsmga005.fm.intel.com [10.253.24.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by linux.intel.com (Postfix) with ESMTPS id 3FE62580AE0; Thu, 19 Jan 2023 05:57:19 -0800 (PST) X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993981" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993981" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:15 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Alexander Shishkin , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Subject: [PATCH v1 5/6] virtio_net: Guard against buffer length overflow in xdp_linearize_page() Date: Thu, 19 Jan 2023 15:57:20 +0200 Message-Id: <20230119135721.83345-6-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" When reassembling incoming buffers to an xdp_page, there is a potential integer overflow in the buffer size test and trigger and out of bounds memcpy(). Fix this by reordering the test so that both sides are of the same signedness. Signed-off-by: Alexander Shishkin Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Jesper Dangaard Brouer Cc: John Fastabend Cc: David S. Miller Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni --- drivers/net/virtio_net.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index 7723b2a49d8e..dfa51dd95f63 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -751,8 +751,10 @@ static struct page *xdp_linearize_page(struct receive_= queue *rq, =20 /* guard against a misconfigured or uncooperative backend that * is sending packet larger than the MTU. + * At the same time, make sure that an especially uncooperative + * backend can't overflow the test by supplying a large buflen. */ - if ((page_off + buflen + tailroom) > PAGE_SIZE) { + if (buflen > PAGE_SIZE - page_off - tailroom) { put_page(p); goto err_buf; } --=20 2.39.0 From nobody Sun Sep 14 16:46:46 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EDF05C46467 for ; Thu, 19 Jan 2023 18:16:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229966AbjASSQJ (ORCPT ); Thu, 19 Jan 2023 13:16:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42678 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229895AbjASSQG (ORCPT ); Thu, 19 Jan 2023 13:16:06 -0500 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 444108EFEB for ; Thu, 19 Jan 2023 10:16:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674152165; x=1705688165; h=resent-from:resent-date:resent-message-id:resent-to:from: to:cc:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=l9H/TKCUR8aTdpw58Up2LgmeAs0CY/BRgs131VlxrwU=; b=VhXjebDFhDVXTpFDZynfznYZ1FP/S/FcDFWTpDtTjy43NsIdaaoM1bqc dF0AZFFTT9JYf+6igzfjqfQBpv4wgxx6oBFrX5StKEqcxjL8FgYkQGKQh tn6MKxh4C1JNNJNsQ/jQBQvBNEr3uTvwb8ajTnYBgxu9u5tHY0MbpPo6T UpaI/E2b1/BA97Cou5YCrseBeM94kKzEWctRWSJ3YqQ7k59aGD5EV3mPv bBfYR8UEQjF60Ta1XbbNV6sNZDqQnlDeT//v5uxytCgf0MshTPwiYrKSO rqV9zzJqqnsx5oH0YGQHL4QWtRmkL2Wlf2am9CH0oT9+QAqbE2x4vLp0G g==; X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="305045434" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="305045434" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 10:16:04 -0800 X-ExtLoopCount2: 2 from 10.237.72.184 X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="610158893" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="610158893" Received: from ubik.fi.intel.com (HELO ubik) ([10.237.72.184]) by orsmga003.jf.intel.com with ESMTP; 19 Jan 2023 10:16:04 -0800 Received: from ash by ubik with local (Exim 4.96) (envelope-from ) id 1pIZRw-00EPLa-2Z for linux-kernel@vger.kernel.org; Thu, 19 Jan 2023 20:15:44 +0200 Received: from linux.intel.com [10.54.29.200] by ubik.fi.intel.com with IMAP (fetchmail-6.4.29) for (single-drop); Thu, 19 Jan 2023 15:59:08 +0200 (EET) Received: from fmsmga005.fm.intel.com (fmsmga005.fm.intel.com [10.253.24.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by linux.intel.com (Postfix) with ESMTPS id 6A51B580AE0; Thu, 19 Jan 2023 05:57:21 -0800 (PST) X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988994004" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988994004" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:19 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Alexander Shishkin Subject: [PATCH v1 6/6] virtio_ring: Prevent bounds check bypass on descriptor index Date: Thu, 19 Jan 2023 15:57:21 +0200 Message-Id: <20230119135721.83345-7-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The descriptor index in virtqueue_get_buf_ctx_split() comes from the device/VMM.a Use array_index_nospec() to prevent the CPU from speculating beyond the descriptor array bounds and providing a primitive for building a side channel. Signed-off-by: Alexander Shishkin --- drivers/virtio/virtio_ring.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c index 2e7689bb933b..c42d070ab68d 100644 --- a/drivers/virtio/virtio_ring.c +++ b/drivers/virtio/virtio_ring.c @@ -9,6 +9,7 @@ #include #include #include +#include #include #include #include @@ -819,6 +820,8 @@ static void *virtqueue_get_buf_ctx_split(struct virtque= ue *_vq, BAD_RING(vq, "id %u out of range\n", i); return NULL; } + + i =3D array_index_nospec(i, vq->split.vring.num); if (unlikely(!vq->split.desc_state[i].data)) { BAD_RING(vq, "id %u is not a head!\n", i); return NULL; --=20 2.39.0