From: "Andrea Parri (Microsoft)" <[email protected]>
[ Upstream commit e99c4afbee07e9323e9191a20b24d74dbf815bdf ]
__vmbus_open() and vmbus_teardown_gpadl() do not inizialite the memory
for the vmbus_channel_open_channel and the vmbus_channel_gpadl_teardown
objects they allocate respectively. These objects contain padding bytes
and fields that are left uninitialized and that are later sent to the
host, potentially leaking guest data. Zero initialize such fields to
avoid leaking sensitive information to the host.
Reported-by: Juan Vazquez <[email protected]>
Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
Reviewed-by: Michael Kelley <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Wei Liu <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/hv/channel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
index 6fb0c76bfbf81..0bd202de79600 100644
--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
@@ -618,7 +618,7 @@ static int __vmbus_open(struct vmbus_channel *newchannel,
goto error_clean_ring;
/* Create and init the channel open message */
- open_info = kmalloc(sizeof(*open_info) +
+ open_info = kzalloc(sizeof(*open_info) +
sizeof(struct vmbus_channel_open_channel),
GFP_KERNEL);
if (!open_info) {
@@ -745,7 +745,7 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle)
unsigned long flags;
int ret;
- info = kmalloc(sizeof(*info) +
+ info = kzalloc(sizeof(*info) +
sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL);
if (!info)
return -ENOMEM;
--
2.27.0
On Wed, Feb 24, 2021 at 07:50:08AM -0500, Sasha Levin wrote:
> From: "Andrea Parri (Microsoft)" <[email protected]>
>
> [ Upstream commit e99c4afbee07e9323e9191a20b24d74dbf815bdf ]
>
> __vmbus_open() and vmbus_teardown_gpadl() do not inizialite the memory
> for the vmbus_channel_open_channel and the vmbus_channel_gpadl_teardown
> objects they allocate respectively. These objects contain padding bytes
> and fields that are left uninitialized and that are later sent to the
> host, potentially leaking guest data. Zero initialize such fields to
> avoid leaking sensitive information to the host.
>
> Reported-by: Juan Vazquez <[email protected]>
> Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> Reviewed-by: Michael Kelley <[email protected]>
> Link: https://lore.kernel.org/r/[email protected]
> Signed-off-by: Wei Liu <[email protected]>
> Signed-off-by: Sasha Levin <[email protected]>
Sasha - This patch is one of a group of patches where a Linux guest running on
Hyper-V will start assuming that hypervisor behavior might be malicious, and
guards against such behavior. Because this is a new assumption, these patches
are more properly treated as new functionality rather than as bug fixes. So I
would propose that we *not* bring such patches back to stable branches.
Thanks,
Andrea
> ---
> drivers/hv/channel.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
> index 6fb0c76bfbf81..0bd202de79600 100644
> --- a/drivers/hv/channel.c
> +++ b/drivers/hv/channel.c
> @@ -618,7 +618,7 @@ static int __vmbus_open(struct vmbus_channel *newchannel,
> goto error_clean_ring;
>
> /* Create and init the channel open message */
> - open_info = kmalloc(sizeof(*open_info) +
> + open_info = kzalloc(sizeof(*open_info) +
> sizeof(struct vmbus_channel_open_channel),
> GFP_KERNEL);
> if (!open_info) {
> @@ -745,7 +745,7 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle)
> unsigned long flags;
> int ret;
>
> - info = kmalloc(sizeof(*info) +
> + info = kzalloc(sizeof(*info) +
> sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL);
> if (!info)
> return -ENOMEM;
> --
> 2.27.0
>
On Wed, Feb 24, 2021 at 02:16:00PM +0100, Andrea Parri wrote:
> On Wed, Feb 24, 2021 at 07:50:08AM -0500, Sasha Levin wrote:
> > From: "Andrea Parri (Microsoft)" <[email protected]>
> >
> > [ Upstream commit e99c4afbee07e9323e9191a20b24d74dbf815bdf ]
> >
> > __vmbus_open() and vmbus_teardown_gpadl() do not inizialite the memory
> > for the vmbus_channel_open_channel and the vmbus_channel_gpadl_teardown
> > objects they allocate respectively. These objects contain padding bytes
> > and fields that are left uninitialized and that are later sent to the
> > host, potentially leaking guest data. Zero initialize such fields to
> > avoid leaking sensitive information to the host.
> >
> > Reported-by: Juan Vazquez <[email protected]>
> > Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> > Reviewed-by: Michael Kelley <[email protected]>
> > Link: https://lore.kernel.org/r/[email protected]
> > Signed-off-by: Wei Liu <[email protected]>
> > Signed-off-by: Sasha Levin <[email protected]>
>
> Sasha - This patch is one of a group of patches where a Linux guest running on
> Hyper-V will start assuming that hypervisor behavior might be malicious, and
> guards against such behavior. Because this is a new assumption, these patches
> are more properly treated as new functionality rather than as bug fixes. So I
> would propose that we *not* bring such patches back to stable branches.
For future/similar cases: I'm wondering, is there some way to annotate a patch
with "please do not bring it back"?
Thanks,
Andrea
On Wed, Feb 24, 2021 at 02:30:52PM +0100, Andrea Parri wrote:
>On Wed, Feb 24, 2021 at 02:16:00PM +0100, Andrea Parri wrote:
>> On Wed, Feb 24, 2021 at 07:50:08AM -0500, Sasha Levin wrote:
>> > From: "Andrea Parri (Microsoft)" <[email protected]>
>> >
>> > [ Upstream commit e99c4afbee07e9323e9191a20b24d74dbf815bdf ]
>> >
>> > __vmbus_open() and vmbus_teardown_gpadl() do not inizialite the memory
>> > for the vmbus_channel_open_channel and the vmbus_channel_gpadl_teardown
>> > objects they allocate respectively. These objects contain padding bytes
>> > and fields that are left uninitialized and that are later sent to the
>> > host, potentially leaking guest data. Zero initialize such fields to
>> > avoid leaking sensitive information to the host.
>> >
>> > Reported-by: Juan Vazquez <[email protected]>
>> > Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
>> > Reviewed-by: Michael Kelley <[email protected]>
>> > Link: https://lore.kernel.org/r/[email protected]
>> > Signed-off-by: Wei Liu <[email protected]>
>> > Signed-off-by: Sasha Levin <[email protected]>
>>
>> Sasha - This patch is one of a group of patches where a Linux guest running on
>> Hyper-V will start assuming that hypervisor behavior might be malicious, and
>> guards against such behavior. Because this is a new assumption, these patches
>> are more properly treated as new functionality rather than as bug fixes. So I
>> would propose that we *not* bring such patches back to stable branches.
>
>For future/similar cases: I'm wondering, is there some way to annotate a patch
>with "please do not bring it back"?
There's nothing explicit for the AUTOSEL stuff. A note in the changelog
could work.
--
Thanks,
Sasha