> -----Original Message-----
> From: Andrea Parri (Microsoft) <[email protected]>
> Sent: Thursday, September 10, 2020 8:48 AM
> To: [email protected]
> Cc: KY Srinivasan <[email protected]>; Haiyang Zhang
> <[email protected]>; Stephen Hemminger
> <[email protected]>; Wei Liu <[email protected]>; linux-
> [email protected]; Andres Beltran <[email protected]>; Michael
> Kelley <[email protected]>; Saruhan Karademir
> <[email protected]>; Juan Vazquez <[email protected]>; Andrea
> Parri <[email protected]>; David S. Miller <[email protected]>;
> Jakub Kicinski <[email protected]>; [email protected]
> Subject: [PATCH v2] hv_netvsc: Add validation for untrusted Hyper-V values
>
> From: Andres Beltran <[email protected]>
>
> For additional robustness in the face of Hyper-V errors or malicious
> behavior, validate all values that originate from packets that Hyper-V
> has sent to the guest in the host-to-guest ring buffer. Ensure that
> invalid values cannot cause indexing off the end of an array, or
> subvert an existing validation via integer overflow. Ensure that
> outgoing packets do not have any leftover guest memory that has not
> been zeroed out.
>
> Signed-off-by: Andres Beltran <[email protected]>
> Co-developed-by: Andrea Parri (Microsoft) <[email protected]>
> Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> Cc: "David S. Miller" <[email protected]>
> Cc: Jakub Kicinski <[email protected]>
> Cc: [email protected]
> ---
> Changes in v2:
> - Replace size check on struct nvsp_message with sub-checks (Haiyang)
>
> drivers/net/hyperv/hyperv_net.h | 4 +
> drivers/net/hyperv/netvsc.c | 120 ++++++++++++++++++++++++++----
> drivers/net/hyperv/netvsc_drv.c | 7 ++
> drivers/net/hyperv/rndis_filter.c | 73 ++++++++++++++++--
> 4 files changed, 184 insertions(+), 20 deletions(-)
>
> diff --git a/drivers/net/hyperv/hyperv_net.h
> b/drivers/net/hyperv/hyperv_net.h
> index 4d2b2d48ff2a1..da78bd0fb2aa2 100644
> --- a/drivers/net/hyperv/hyperv_net.h
> +++ b/drivers/net/hyperv/hyperv_net.h
> @@ -860,6 +860,10 @@ static inline u32 netvsc_rqstor_size(unsigned long
> ringbytes)
> ringbytes / NETVSC_MIN_IN_MSG_SIZE;
> }
>
> +#define NETVSC_XFER_HEADER_SIZE(rng_cnt) \
> + (offsetof(struct vmtransfer_page_packet_header, ranges) +
> \
> + (rng_cnt) * sizeof(struct vmtransfer_page_range))
> +
> struct multi_send_data {
> struct sk_buff *skb; /* skb containing the pkt */
> struct hv_netvsc_packet *pkt; /* netvsc pkt pending */
> diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
> index 03e93e3ddbad8..90b7a39c2dc78 100644
> --- a/drivers/net/hyperv/netvsc.c
> +++ b/drivers/net/hyperv/netvsc.c
> @@ -388,6 +388,15 @@ static int netvsc_init_buf(struct hv_device *device,
> net_device->recv_section_size = resp->sections[0].sub_alloc_size;
> net_device->recv_section_cnt = resp->sections[0].num_sub_allocs;
>
> + /* Ensure buffer will not overflow */
> + if (net_device->recv_section_size < NETVSC_MTU_MIN ||
> (u64)net_device->recv_section_size *
> + (u64)net_device->recv_section_cnt > (u64)buf_size) {
> + netdev_err(ndev, "invalid recv_section_size %u\n",
> + net_device->recv_section_size);
> + ret = -EINVAL;
> + goto cleanup;
> + }
> +
> /* Setup receive completion ring.
> * Add 1 to the recv_section_cnt because at least one entry in a
> * ring buffer has to be empty.
> @@ -460,6 +469,12 @@ static int netvsc_init_buf(struct hv_device *device,
> /* Parse the response */
> net_device->send_section_size = init_packet->msg.
>
> v1_msg.send_send_buf_complete.section_size;
> + if (net_device->send_section_size < NETVSC_MTU_MIN) {
> + netdev_err(ndev, "invalid send_section_size %u\n",
> + net_device->send_section_size);
> + ret = -EINVAL;
> + goto cleanup;
> + }
>
> /* Section count is simply the size divided by the section size. */
> net_device->send_section_cnt = buf_size / net_device-
> >send_section_size;
> @@ -740,12 +755,45 @@ static void netvsc_send_completion(struct
> net_device *ndev,
> int budget)
> {
> const struct nvsp_message *nvsp_packet = hv_pkt_data(desc);
> + u32 msglen = hv_pkt_datalen(desc);
> +
> + /* Ensure packet is big enough to read header fields */
> + if (msglen < sizeof(struct nvsp_message_header)) {
> + netdev_err(ndev, "nvsp_message length too small: %u\n",
> msglen);
> + return;
> + }
>
> switch (nvsp_packet->hdr.msg_type) {
> case NVSP_MSG_TYPE_INIT_COMPLETE:
> + if (msglen < sizeof(struct nvsp_message_init_complete)) {
This and other similar places should include header size:
if (msglen < sizeof(struct nvsp_message_header) + sizeof(struct nvsp_message_init_complete)) {
Thanks,
- Haiyang
> > @@ -740,12 +755,45 @@ static void netvsc_send_completion(struct
> > net_device *ndev,
> > int budget)
> > {
> > const struct nvsp_message *nvsp_packet = hv_pkt_data(desc);
> > + u32 msglen = hv_pkt_datalen(desc);
> > +
> > + /* Ensure packet is big enough to read header fields */
> > + if (msglen < sizeof(struct nvsp_message_header)) {
> > + netdev_err(ndev, "nvsp_message length too small: %u\n",
> > msglen);
> > + return;
> > + }
> >
> > switch (nvsp_packet->hdr.msg_type) {
> > case NVSP_MSG_TYPE_INIT_COMPLETE:
> > + if (msglen < sizeof(struct nvsp_message_init_complete)) {
>
> This and other similar places should include header size:
> if (msglen < sizeof(struct nvsp_message_header) + sizeof(struct nvsp_message_init_complete)) {
Thanks for pointing this out; fixing for v3...
Andrea