2021-04-08 16:16:56

by Andrea Parri

[permalink] [raw]
Subject: [PATCH hyperv-next] Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer

From: Andres Beltran <[email protected]>

Pointers to ring-buffer packets sent by Hyper-V are used within the
guest VM. Hyper-V can send packets with erroneous values or modify
packet fields after they are processed by the guest. To defend
against these scenarios, return a copy of the incoming VMBus packet
after validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.

Signed-off-by: Andres Beltran <[email protected]>
Co-developed-by: Andrea Parri (Microsoft) <[email protected]>
Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
---
drivers/hv/channel.c | 9 ++--
drivers/hv/hv_fcopy.c | 1 +
drivers/hv/hv_kvp.c | 1 +
drivers/hv/hyperv_vmbus.h | 2 +-
drivers/hv/ring_buffer.c | 82 ++++++++++++++++++++++++++-----
drivers/net/hyperv/hyperv_net.h | 7 +++
drivers/net/hyperv/netvsc.c | 2 +
drivers/net/hyperv/rndis_filter.c | 2 +
drivers/scsi/storvsc_drv.c | 10 ++++
include/linux/hyperv.h | 48 +++++++++++++++---
net/vmw_vsock/hyperv_transport.c | 4 +-
11 files changed, 143 insertions(+), 25 deletions(-)

diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
index db30be8f9ccea..b665db21e120d 100644
--- a/drivers/hv/channel.c
+++ b/drivers/hv/channel.c
@@ -597,12 +597,15 @@ static int __vmbus_open(struct vmbus_channel *newchannel,
newchannel->onchannel_callback = onchannelcallback;
newchannel->channel_callback_context = context;

- err = hv_ringbuffer_init(&newchannel->outbound, page, send_pages);
+ if (!newchannel->max_pkt_size)
+ newchannel->max_pkt_size = VMBUS_DEFAULT_MAX_PKT_SIZE;
+
+ err = hv_ringbuffer_init(&newchannel->outbound, page, send_pages, 0);
if (err)
goto error_clean_ring;

- err = hv_ringbuffer_init(&newchannel->inbound,
- &page[send_pages], recv_pages);
+ err = hv_ringbuffer_init(&newchannel->inbound, &page[send_pages],
+ recv_pages, newchannel->max_pkt_size);
if (err)
goto error_clean_ring;

diff --git a/drivers/hv/hv_fcopy.c b/drivers/hv/hv_fcopy.c
index 59ce85e00a028..660036da74495 100644
--- a/drivers/hv/hv_fcopy.c
+++ b/drivers/hv/hv_fcopy.c
@@ -349,6 +349,7 @@ int hv_fcopy_init(struct hv_util_service *srv)
{
recv_buffer = srv->recv_buffer;
fcopy_transaction.recv_channel = srv->channel;
+ fcopy_transaction.recv_channel->max_pkt_size = HV_HYP_PAGE_SIZE * 2;

/*
* When this driver loads, the user level daemon that
diff --git a/drivers/hv/hv_kvp.c b/drivers/hv/hv_kvp.c
index b49962d312cef..c698592b83e42 100644
--- a/drivers/hv/hv_kvp.c
+++ b/drivers/hv/hv_kvp.c
@@ -757,6 +757,7 @@ hv_kvp_init(struct hv_util_service *srv)
{
recv_buffer = srv->recv_buffer;
kvp_transaction.recv_channel = srv->channel;
+ kvp_transaction.recv_channel->max_pkt_size = HV_HYP_PAGE_SIZE * 4;

/*
* When this driver loads, the user level daemon that
diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
index 9416e09ebd58c..42f3d9d123a12 100644
--- a/drivers/hv/hyperv_vmbus.h
+++ b/drivers/hv/hyperv_vmbus.h
@@ -174,7 +174,7 @@ extern int hv_synic_cleanup(unsigned int cpu);
void hv_ringbuffer_pre_init(struct vmbus_channel *channel);

int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info,
- struct page *pages, u32 pagecnt);
+ struct page *pages, u32 pagecnt, u32 max_pkt_size);

void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info);

diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
index ecd82ebfd5bc4..848f3bba83f8b 100644
--- a/drivers/hv/ring_buffer.c
+++ b/drivers/hv/ring_buffer.c
@@ -190,7 +190,7 @@ void hv_ringbuffer_pre_init(struct vmbus_channel *channel)

/* Initialize the ring buffer. */
int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info,
- struct page *pages, u32 page_cnt)
+ struct page *pages, u32 page_cnt, u32 max_pkt_size)
{
int i;
struct page **pages_wraparound;
@@ -232,6 +232,14 @@ int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info,
sizeof(struct hv_ring_buffer);
ring_info->priv_read_index = 0;

+ /* Initialize buffer that holds copies of incoming packets */
+ if (max_pkt_size) {
+ ring_info->pkt_buffer = kzalloc(max_pkt_size, GFP_KERNEL);
+ if (!ring_info->pkt_buffer)
+ return -ENOMEM;
+ ring_info->pkt_buffer_size = max_pkt_size;
+ }
+
spin_lock_init(&ring_info->ring_lock);

return 0;
@@ -244,6 +252,9 @@ void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info)
vunmap(ring_info->ring_buffer);
ring_info->ring_buffer = NULL;
mutex_unlock(&ring_info->ring_buffer_mutex);
+
+ kfree(ring_info->pkt_buffer);
+ ring_info->pkt_buffer_size = 0;
}

/* Write to the ring buffer. */
@@ -384,7 +395,7 @@ int hv_ringbuffer_read(struct vmbus_channel *channel,
memcpy(buffer, (const char *)desc + offset, packetlen);

/* Advance ring index to next packet descriptor */
- __hv_pkt_iter_next(channel, desc);
+ __hv_pkt_iter_next(channel, desc, true);

/* Notify host of update */
hv_pkt_iter_close(channel);
@@ -410,6 +421,22 @@ static u32 hv_pkt_iter_avail(const struct hv_ring_buffer_info *rbi)
return (rbi->ring_datasize - priv_read_loc) + write_loc;
}

+/*
+ * Get first vmbus packet without copying it out of the ring buffer
+ */
+struct vmpacket_descriptor *hv_pkt_iter_first_raw(struct vmbus_channel *channel)
+{
+ struct hv_ring_buffer_info *rbi = &channel->inbound;
+
+ hv_debug_delay_test(channel, MESSAGE_DELAY);
+
+ if (hv_pkt_iter_avail(rbi) < sizeof(struct vmpacket_descriptor))
+ return NULL;
+
+ return (struct vmpacket_descriptor *)(hv_get_ring_buffer(rbi) + rbi->priv_read_index);
+}
+EXPORT_SYMBOL_GPL(hv_pkt_iter_first_raw);
+
/*
* Get first vmbus packet from ring buffer after read_index
*
@@ -418,17 +445,49 @@ static u32 hv_pkt_iter_avail(const struct hv_ring_buffer_info *rbi)
struct vmpacket_descriptor *hv_pkt_iter_first(struct vmbus_channel *channel)
{
struct hv_ring_buffer_info *rbi = &channel->inbound;
- struct vmpacket_descriptor *desc;
+ struct vmpacket_descriptor *desc, *desc_copy;
+ u32 bytes_avail, pkt_len, pkt_offset;

- hv_debug_delay_test(channel, MESSAGE_DELAY);
- if (hv_pkt_iter_avail(rbi) < sizeof(struct vmpacket_descriptor))
+ desc = hv_pkt_iter_first_raw(channel);
+ if (!desc)
return NULL;

- desc = hv_get_ring_buffer(rbi) + rbi->priv_read_index;
- if (desc)
- prefetch((char *)desc + (desc->len8 << 3));
+ bytes_avail = min(rbi->pkt_buffer_size, hv_pkt_iter_avail(rbi));
+
+ /*
+ * Ensure the compiler does not use references to incoming Hyper-V values (which
+ * could change at any moment) when reading local variables later in the code
+ */
+ pkt_len = READ_ONCE(desc->len8) << 3;
+ pkt_offset = READ_ONCE(desc->offset8) << 3;
+
+ /*
+ * If pkt_len is invalid, set it to the smaller of hv_pkt_iter_avail() and
+ * rbi->pkt_buffer_size
+ */
+ if (pkt_len < sizeof(struct vmpacket_descriptor) || pkt_len > bytes_avail)
+ pkt_len = bytes_avail;
+
+ /*
+ * If pkt_offset is invalid, arbitrarily set it to
+ * the size of vmpacket_descriptor
+ */
+ if (pkt_offset < sizeof(struct vmpacket_descriptor) || pkt_offset > pkt_len)
+ pkt_offset = sizeof(struct vmpacket_descriptor);
+
+ /* Copy the Hyper-V packet out of the ring buffer */
+ desc_copy = (struct vmpacket_descriptor *)rbi->pkt_buffer;
+ memcpy(desc_copy, desc, pkt_len);
+
+ /*
+ * Hyper-V could still change len8 and offset8 after the earlier read.
+ * Ensure that desc_copy has legal values for len8 and offset8 that
+ * are consistent with the copy we just made
+ */
+ desc_copy->len8 = pkt_len >> 3;
+ desc_copy->offset8 = pkt_offset >> 3;

- return desc;
+ return desc_copy;
}
EXPORT_SYMBOL_GPL(hv_pkt_iter_first);

@@ -440,7 +499,8 @@ EXPORT_SYMBOL_GPL(hv_pkt_iter_first);
*/
struct vmpacket_descriptor *
__hv_pkt_iter_next(struct vmbus_channel *channel,
- const struct vmpacket_descriptor *desc)
+ const struct vmpacket_descriptor *desc,
+ bool copy)
{
struct hv_ring_buffer_info *rbi = &channel->inbound;
u32 packetlen = desc->len8 << 3;
@@ -453,7 +513,7 @@ __hv_pkt_iter_next(struct vmbus_channel *channel,
rbi->priv_read_index -= dsize;

/* more data? */
- return hv_pkt_iter_first(channel);
+ return copy ? hv_pkt_iter_first(channel) : hv_pkt_iter_first_raw(channel);
}
EXPORT_SYMBOL_GPL(__hv_pkt_iter_next);

diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
index e1a497d3c9ba4..154539b2f75ba 100644
--- a/drivers/net/hyperv/hyperv_net.h
+++ b/drivers/net/hyperv/hyperv_net.h
@@ -895,9 +895,16 @@ static inline u32 netvsc_rqstor_size(unsigned long ringbytes)
ringbytes / NETVSC_MIN_IN_MSG_SIZE;
}

+/* XFER PAGE packets can specify a maximum of 375 ranges for NDIS >= 6.0
+ * and a maximum of 64 ranges for NDIS < 6.0 with no RSC; with RSC, this
+ * limit is raised to 562 (= NVSP_RSC_MAX).
+ */
+#define NETVSC_MAX_XFER_PAGE_RANGES NVSP_RSC_MAX
#define NETVSC_XFER_HEADER_SIZE(rng_cnt) \
(offsetof(struct vmtransfer_page_packet_header, ranges) + \
(rng_cnt) * sizeof(struct vmtransfer_page_range))
+#define NETVSC_MAX_PKT_SIZE (NETVSC_XFER_HEADER_SIZE(NETVSC_MAX_XFER_PAGE_RANGES) + \
+ sizeof(struct nvsp_message) + (sizeof(u32) * VRSS_SEND_TAB_SIZE))

struct multi_send_data {
struct sk_buff *skb; /* skb containing the pkt */
diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
index c64cc7639c39c..d17ff04986f52 100644
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
@@ -1603,6 +1603,8 @@ struct netvsc_device *netvsc_device_add(struct hv_device *device,

/* Open the channel */
device->channel->rqstor_size = netvsc_rqstor_size(netvsc_ring_bytes);
+ device->channel->max_pkt_size = NETVSC_MAX_PKT_SIZE;
+
ret = vmbus_open(device->channel, netvsc_ring_bytes,
netvsc_ring_bytes, NULL, 0,
netvsc_channel_cb, net_device->chan_table);
diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
index 123cc9d25f5ed..6508c4724c224 100644
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -1260,6 +1260,8 @@ static void netvsc_sc_open(struct vmbus_channel *new_sc)
nvchan->channel = new_sc;

new_sc->rqstor_size = netvsc_rqstor_size(netvsc_ring_bytes);
+ new_sc->max_pkt_size = NETVSC_MAX_PKT_SIZE;
+
ret = vmbus_open(new_sc, netvsc_ring_bytes,
netvsc_ring_bytes, NULL, 0,
netvsc_channel_cb, nvchan);
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index 6bc5453cea8a7..bfbaebded8025 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -402,6 +402,14 @@ static void storvsc_on_channel_callback(void *context);
#define STORVSC_IDE_MAX_TARGETS 1
#define STORVSC_IDE_MAX_CHANNELS 1

+/*
+ * Upper bound on the size of a storvsc packet. vmscsi_size_delta is not
+ * included in the calculation because it is set after STORVSC_MAX_PKT_SIZE
+ * is used in storvsc_connect_to_vsp
+ */
+#define STORVSC_MAX_PKT_SIZE (sizeof(struct vmpacket_descriptor) +\
+ sizeof(struct vstor_packet))
+
struct storvsc_cmd_request {
struct scsi_cmnd *cmd;

@@ -697,6 +705,7 @@ static void handle_sc_creation(struct vmbus_channel *new_sc)
return;

memset(&props, 0, sizeof(struct vmstorage_channel_properties));
+ new_sc->max_pkt_size = STORVSC_MAX_PKT_SIZE;

/*
* The size of vmbus_requestor is an upper bound on the number of requests
@@ -1290,6 +1299,7 @@ static int storvsc_connect_to_vsp(struct hv_device *device, u32 ring_size,

memset(&props, 0, sizeof(struct vmstorage_channel_properties));

+ device->channel->max_pkt_size = STORVSC_MAX_PKT_SIZE;
/*
* The size of vmbus_requestor is an upper bound on the number of requests
* that can be in-progress at any one time across all channels.
diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
index 2c18c8e768efe..7387bb41f6a37 100644
--- a/include/linux/hyperv.h
+++ b/include/linux/hyperv.h
@@ -181,6 +181,10 @@ struct hv_ring_buffer_info {
* being freed while the ring buffer is being accessed.
*/
struct mutex ring_buffer_mutex;
+
+ /* Buffer that holds a copy of an incoming host packet */
+ void *pkt_buffer;
+ u32 pkt_buffer_size;
};


@@ -788,6 +792,8 @@ struct vmbus_device {
bool allowed_in_isolated;
};

+#define VMBUS_DEFAULT_MAX_PKT_SIZE 4096
+
struct vmbus_channel {
struct list_head listentry;

@@ -1010,6 +1016,9 @@ struct vmbus_channel {
/* request/transaction ids for VMBus */
struct vmbus_requestor requestor;
u32 rqstor_size;
+
+ /* The max size of a packet on this channel */
+ u32 max_pkt_size;
};

u64 vmbus_next_request_id(struct vmbus_requestor *rqstor, u64 rqst_addr);
@@ -1651,32 +1660,55 @@ static inline u32 hv_pkt_datalen(const struct vmpacket_descriptor *desc)
}


+struct vmpacket_descriptor *
+hv_pkt_iter_first_raw(struct vmbus_channel *channel);
+
struct vmpacket_descriptor *
hv_pkt_iter_first(struct vmbus_channel *channel);

struct vmpacket_descriptor *
__hv_pkt_iter_next(struct vmbus_channel *channel,
- const struct vmpacket_descriptor *pkt);
+ const struct vmpacket_descriptor *pkt,
+ bool copy);

void hv_pkt_iter_close(struct vmbus_channel *channel);

-/*
- * Get next packet descriptor from iterator
- * If at end of list, return NULL and update host.
- */
static inline struct vmpacket_descriptor *
-hv_pkt_iter_next(struct vmbus_channel *channel,
- const struct vmpacket_descriptor *pkt)
+hv_pkt_iter_next_pkt(struct vmbus_channel *channel,
+ const struct vmpacket_descriptor *pkt,
+ bool copy)
{
struct vmpacket_descriptor *nxt;

- nxt = __hv_pkt_iter_next(channel, pkt);
+ nxt = __hv_pkt_iter_next(channel, pkt, copy);
if (!nxt)
hv_pkt_iter_close(channel);

return nxt;
}

+/*
+ * Get next packet descriptor without copying it out of the ring buffer
+ * If at end of list, return NULL and update host.
+ */
+static inline struct vmpacket_descriptor *
+hv_pkt_iter_next_raw(struct vmbus_channel *channel,
+ const struct vmpacket_descriptor *pkt)
+{
+ return hv_pkt_iter_next_pkt(channel, pkt, false);
+}
+
+/*
+ * Get next packet descriptor from iterator
+ * If at end of list, return NULL and update host.
+ */
+static inline struct vmpacket_descriptor *
+hv_pkt_iter_next(struct vmbus_channel *channel,
+ const struct vmpacket_descriptor *pkt)
+{
+ return hv_pkt_iter_next_pkt(channel, pkt, true);
+}
+
#define foreach_vmbus_pkt(pkt, channel) \
for (pkt = hv_pkt_iter_first(channel); pkt; \
pkt = hv_pkt_iter_next(channel, pkt))
diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index cc3bae2659e79..19189cf30a72f 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -596,7 +596,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk, struct msghdr *msg,
return -EOPNOTSUPP;

if (need_refill) {
- hvs->recv_desc = hv_pkt_iter_first(hvs->chan);
+ hvs->recv_desc = hv_pkt_iter_first_raw(hvs->chan);
ret = hvs_update_recv_data(hvs);
if (ret)
return ret;
@@ -610,7 +610,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk, struct msghdr *msg,

hvs->recv_data_len -= to_read;
if (hvs->recv_data_len == 0) {
- hvs->recv_desc = hv_pkt_iter_next(hvs->chan, hvs->recv_desc);
+ hvs->recv_desc = hv_pkt_iter_next_raw(hvs->chan, hvs->recv_desc);
if (hvs->recv_desc) {
ret = hvs_update_recv_data(hvs);
if (ret)
--
2.25.1


2021-04-09 15:49:55

by Michael Kelley (LINUX)

[permalink] [raw]
Subject: RE: [PATCH hyperv-next] Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer

From: Andrea Parri (Microsoft) <[email protected]> Sent: Thursday, April 8, 2021 9:15 AM
>
> Pointers to ring-buffer packets sent by Hyper-V are used within the
> guest VM. Hyper-V can send packets with erroneous values or modify
> packet fields after they are processed by the guest. To defend
> against these scenarios, return a copy of the incoming VMBus packet
> after validating its length and offset fields in hv_pkt_iter_first().
> In this way, the packet can no longer be modified by the host.

Andrea -- has anything changed in this version of this patch, except
the value of NETVSC_MAX_XFER_PAGE_RANGES? It used to be a
fixed 375, but now is NVSP_RSC_MAX, which is 562.

If that's the only change, then

Reviewed-by: Michael Kelley <[email protected]>

>
> Signed-off-by: Andres Beltran <[email protected]>
> Co-developed-by: Andrea Parri (Microsoft) <[email protected]>
> Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> ---
> drivers/hv/channel.c | 9 ++--
> drivers/hv/hv_fcopy.c | 1 +
> drivers/hv/hv_kvp.c | 1 +
> drivers/hv/hyperv_vmbus.h | 2 +-
> drivers/hv/ring_buffer.c | 82 ++++++++++++++++++++++++++-----
> drivers/net/hyperv/hyperv_net.h | 7 +++
> drivers/net/hyperv/netvsc.c | 2 +
> drivers/net/hyperv/rndis_filter.c | 2 +
> drivers/scsi/storvsc_drv.c | 10 ++++
> include/linux/hyperv.h | 48 +++++++++++++++---
> net/vmw_vsock/hyperv_transport.c | 4 +-
> 11 files changed, 143 insertions(+), 25 deletions(-)
>
> diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
> index db30be8f9ccea..b665db21e120d 100644
> --- a/drivers/hv/channel.c
> +++ b/drivers/hv/channel.c
> @@ -597,12 +597,15 @@ static int __vmbus_open(struct vmbus_channel *newchannel,
> newchannel->onchannel_callback = onchannelcallback;
> newchannel->channel_callback_context = context;
>
> - err = hv_ringbuffer_init(&newchannel->outbound, page, send_pages);
> + if (!newchannel->max_pkt_size)
> + newchannel->max_pkt_size = VMBUS_DEFAULT_MAX_PKT_SIZE;
> +
> + err = hv_ringbuffer_init(&newchannel->outbound, page, send_pages, 0);
> if (err)
> goto error_clean_ring;
>
> - err = hv_ringbuffer_init(&newchannel->inbound,
> - &page[send_pages], recv_pages);
> + err = hv_ringbuffer_init(&newchannel->inbound, &page[send_pages],
> + recv_pages, newchannel->max_pkt_size);
> if (err)
> goto error_clean_ring;
>
> diff --git a/drivers/hv/hv_fcopy.c b/drivers/hv/hv_fcopy.c
> index 59ce85e00a028..660036da74495 100644
> --- a/drivers/hv/hv_fcopy.c
> +++ b/drivers/hv/hv_fcopy.c
> @@ -349,6 +349,7 @@ int hv_fcopy_init(struct hv_util_service *srv)
> {
> recv_buffer = srv->recv_buffer;
> fcopy_transaction.recv_channel = srv->channel;
> + fcopy_transaction.recv_channel->max_pkt_size = HV_HYP_PAGE_SIZE * 2;
>
> /*
> * When this driver loads, the user level daemon that
> diff --git a/drivers/hv/hv_kvp.c b/drivers/hv/hv_kvp.c
> index b49962d312cef..c698592b83e42 100644
> --- a/drivers/hv/hv_kvp.c
> +++ b/drivers/hv/hv_kvp.c
> @@ -757,6 +757,7 @@ hv_kvp_init(struct hv_util_service *srv)
> {
> recv_buffer = srv->recv_buffer;
> kvp_transaction.recv_channel = srv->channel;
> + kvp_transaction.recv_channel->max_pkt_size = HV_HYP_PAGE_SIZE * 4;
>
> /*
> * When this driver loads, the user level daemon that
> diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
> index 9416e09ebd58c..42f3d9d123a12 100644
> --- a/drivers/hv/hyperv_vmbus.h
> +++ b/drivers/hv/hyperv_vmbus.h
> @@ -174,7 +174,7 @@ extern int hv_synic_cleanup(unsigned int cpu);
> void hv_ringbuffer_pre_init(struct vmbus_channel *channel);
>
> int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info,
> - struct page *pages, u32 pagecnt);
> + struct page *pages, u32 pagecnt, u32 max_pkt_size);
>
> void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info);
>
> diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
> index ecd82ebfd5bc4..848f3bba83f8b 100644
> --- a/drivers/hv/ring_buffer.c
> +++ b/drivers/hv/ring_buffer.c
> @@ -190,7 +190,7 @@ void hv_ringbuffer_pre_init(struct vmbus_channel *channel)
>
> /* Initialize the ring buffer. */
> int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info,
> - struct page *pages, u32 page_cnt)
> + struct page *pages, u32 page_cnt, u32 max_pkt_size)
> {
> int i;
> struct page **pages_wraparound;
> @@ -232,6 +232,14 @@ int hv_ringbuffer_init(struct hv_ring_buffer_info *ring_info,
> sizeof(struct hv_ring_buffer);
> ring_info->priv_read_index = 0;
>
> + /* Initialize buffer that holds copies of incoming packets */
> + if (max_pkt_size) {
> + ring_info->pkt_buffer = kzalloc(max_pkt_size, GFP_KERNEL);
> + if (!ring_info->pkt_buffer)
> + return -ENOMEM;
> + ring_info->pkt_buffer_size = max_pkt_size;
> + }
> +
> spin_lock_init(&ring_info->ring_lock);
>
> return 0;
> @@ -244,6 +252,9 @@ void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info)
> vunmap(ring_info->ring_buffer);
> ring_info->ring_buffer = NULL;
> mutex_unlock(&ring_info->ring_buffer_mutex);
> +
> + kfree(ring_info->pkt_buffer);
> + ring_info->pkt_buffer_size = 0;
> }
>
> /* Write to the ring buffer. */
> @@ -384,7 +395,7 @@ int hv_ringbuffer_read(struct vmbus_channel *channel,
> memcpy(buffer, (const char *)desc + offset, packetlen);
>
> /* Advance ring index to next packet descriptor */
> - __hv_pkt_iter_next(channel, desc);
> + __hv_pkt_iter_next(channel, desc, true);
>
> /* Notify host of update */
> hv_pkt_iter_close(channel);
> @@ -410,6 +421,22 @@ static u32 hv_pkt_iter_avail(const struct hv_ring_buffer_info *rbi)
> return (rbi->ring_datasize - priv_read_loc) + write_loc;
> }
>
> +/*
> + * Get first vmbus packet without copying it out of the ring buffer
> + */
> +struct vmpacket_descriptor *hv_pkt_iter_first_raw(struct vmbus_channel *channel)
> +{
> + struct hv_ring_buffer_info *rbi = &channel->inbound;
> +
> + hv_debug_delay_test(channel, MESSAGE_DELAY);
> +
> + if (hv_pkt_iter_avail(rbi) < sizeof(struct vmpacket_descriptor))
> + return NULL;
> +
> + return (struct vmpacket_descriptor *)(hv_get_ring_buffer(rbi) + rbi-
> >priv_read_index);
> +}
> +EXPORT_SYMBOL_GPL(hv_pkt_iter_first_raw);
> +
> /*
> * Get first vmbus packet from ring buffer after read_index
> *
> @@ -418,17 +445,49 @@ static u32 hv_pkt_iter_avail(const struct hv_ring_buffer_info *rbi)
> struct vmpacket_descriptor *hv_pkt_iter_first(struct vmbus_channel *channel)
> {
> struct hv_ring_buffer_info *rbi = &channel->inbound;
> - struct vmpacket_descriptor *desc;
> + struct vmpacket_descriptor *desc, *desc_copy;
> + u32 bytes_avail, pkt_len, pkt_offset;
>
> - hv_debug_delay_test(channel, MESSAGE_DELAY);
> - if (hv_pkt_iter_avail(rbi) < sizeof(struct vmpacket_descriptor))
> + desc = hv_pkt_iter_first_raw(channel);
> + if (!desc)
> return NULL;
>
> - desc = hv_get_ring_buffer(rbi) + rbi->priv_read_index;
> - if (desc)
> - prefetch((char *)desc + (desc->len8 << 3));
> + bytes_avail = min(rbi->pkt_buffer_size, hv_pkt_iter_avail(rbi));
> +
> + /*
> + * Ensure the compiler does not use references to incoming Hyper-V values (which
> + * could change at any moment) when reading local variables later in the code
> + */
> + pkt_len = READ_ONCE(desc->len8) << 3;
> + pkt_offset = READ_ONCE(desc->offset8) << 3;
> +
> + /*
> + * If pkt_len is invalid, set it to the smaller of hv_pkt_iter_avail() and
> + * rbi->pkt_buffer_size
> + */
> + if (pkt_len < sizeof(struct vmpacket_descriptor) || pkt_len > bytes_avail)
> + pkt_len = bytes_avail;
> +
> + /*
> + * If pkt_offset is invalid, arbitrarily set it to
> + * the size of vmpacket_descriptor
> + */
> + if (pkt_offset < sizeof(struct vmpacket_descriptor) || pkt_offset > pkt_len)
> + pkt_offset = sizeof(struct vmpacket_descriptor);
> +
> + /* Copy the Hyper-V packet out of the ring buffer */
> + desc_copy = (struct vmpacket_descriptor *)rbi->pkt_buffer;
> + memcpy(desc_copy, desc, pkt_len);
> +
> + /*
> + * Hyper-V could still change len8 and offset8 after the earlier read.
> + * Ensure that desc_copy has legal values for len8 and offset8 that
> + * are consistent with the copy we just made
> + */
> + desc_copy->len8 = pkt_len >> 3;
> + desc_copy->offset8 = pkt_offset >> 3;
>
> - return desc;
> + return desc_copy;
> }
> EXPORT_SYMBOL_GPL(hv_pkt_iter_first);
>
> @@ -440,7 +499,8 @@ EXPORT_SYMBOL_GPL(hv_pkt_iter_first);
> */
> struct vmpacket_descriptor *
> __hv_pkt_iter_next(struct vmbus_channel *channel,
> - const struct vmpacket_descriptor *desc)
> + const struct vmpacket_descriptor *desc,
> + bool copy)
> {
> struct hv_ring_buffer_info *rbi = &channel->inbound;
> u32 packetlen = desc->len8 << 3;
> @@ -453,7 +513,7 @@ __hv_pkt_iter_next(struct vmbus_channel *channel,
> rbi->priv_read_index -= dsize;
>
> /* more data? */
> - return hv_pkt_iter_first(channel);
> + return copy ? hv_pkt_iter_first(channel) : hv_pkt_iter_first_raw(channel);
> }
> EXPORT_SYMBOL_GPL(__hv_pkt_iter_next);
>
> diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
> index e1a497d3c9ba4..154539b2f75ba 100644
> --- a/drivers/net/hyperv/hyperv_net.h
> +++ b/drivers/net/hyperv/hyperv_net.h
> @@ -895,9 +895,16 @@ static inline u32 netvsc_rqstor_size(unsigned long ringbytes)
> ringbytes / NETVSC_MIN_IN_MSG_SIZE;
> }
>
> +/* XFER PAGE packets can specify a maximum of 375 ranges for NDIS >= 6.0
> + * and a maximum of 64 ranges for NDIS < 6.0 with no RSC; with RSC, this
> + * limit is raised to 562 (= NVSP_RSC_MAX).
> + */
> +#define NETVSC_MAX_XFER_PAGE_RANGES NVSP_RSC_MAX
> #define NETVSC_XFER_HEADER_SIZE(rng_cnt) \
> (offsetof(struct vmtransfer_page_packet_header, ranges) + \
> (rng_cnt) * sizeof(struct vmtransfer_page_range))
> +#define NETVSC_MAX_PKT_SIZE
> (NETVSC_XFER_HEADER_SIZE(NETVSC_MAX_XFER_PAGE_RANGES) + \
> + sizeof(struct nvsp_message) + (sizeof(u32) * VRSS_SEND_TAB_SIZE))
>
> struct multi_send_data {
> struct sk_buff *skb; /* skb containing the pkt */
> diff --git a/drivers/net/hyperv/netvsc.c b/drivers/net/hyperv/netvsc.c
> index c64cc7639c39c..d17ff04986f52 100644
> --- a/drivers/net/hyperv/netvsc.c
> +++ b/drivers/net/hyperv/netvsc.c
> @@ -1603,6 +1603,8 @@ struct netvsc_device *netvsc_device_add(struct hv_device
> *device,
>
> /* Open the channel */
> device->channel->rqstor_size = netvsc_rqstor_size(netvsc_ring_bytes);
> + device->channel->max_pkt_size = NETVSC_MAX_PKT_SIZE;
> +
> ret = vmbus_open(device->channel, netvsc_ring_bytes,
> netvsc_ring_bytes, NULL, 0,
> netvsc_channel_cb, net_device->chan_table);
> diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
> index 123cc9d25f5ed..6508c4724c224 100644
> --- a/drivers/net/hyperv/rndis_filter.c
> +++ b/drivers/net/hyperv/rndis_filter.c
> @@ -1260,6 +1260,8 @@ static void netvsc_sc_open(struct vmbus_channel *new_sc)
> nvchan->channel = new_sc;
>
> new_sc->rqstor_size = netvsc_rqstor_size(netvsc_ring_bytes);
> + new_sc->max_pkt_size = NETVSC_MAX_PKT_SIZE;
> +
> ret = vmbus_open(new_sc, netvsc_ring_bytes,
> netvsc_ring_bytes, NULL, 0,
> netvsc_channel_cb, nvchan);
> diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
> index 6bc5453cea8a7..bfbaebded8025 100644
> --- a/drivers/scsi/storvsc_drv.c
> +++ b/drivers/scsi/storvsc_drv.c
> @@ -402,6 +402,14 @@ static void storvsc_on_channel_callback(void *context);
> #define STORVSC_IDE_MAX_TARGETS 1
> #define STORVSC_IDE_MAX_CHANNELS 1
>
> +/*
> + * Upper bound on the size of a storvsc packet. vmscsi_size_delta is not
> + * included in the calculation because it is set after STORVSC_MAX_PKT_SIZE
> + * is used in storvsc_connect_to_vsp
> + */
> +#define STORVSC_MAX_PKT_SIZE (sizeof(struct vmpacket_descriptor) +\
> + sizeof(struct vstor_packet))
> +
> struct storvsc_cmd_request {
> struct scsi_cmnd *cmd;
>
> @@ -697,6 +705,7 @@ static void handle_sc_creation(struct vmbus_channel *new_sc)
> return;
>
> memset(&props, 0, sizeof(struct vmstorage_channel_properties));
> + new_sc->max_pkt_size = STORVSC_MAX_PKT_SIZE;
>
> /*
> * The size of vmbus_requestor is an upper bound on the number of requests
> @@ -1290,6 +1299,7 @@ static int storvsc_connect_to_vsp(struct hv_device *device, u32
> ring_size,
>
> memset(&props, 0, sizeof(struct vmstorage_channel_properties));
>
> + device->channel->max_pkt_size = STORVSC_MAX_PKT_SIZE;
> /*
> * The size of vmbus_requestor is an upper bound on the number of requests
> * that can be in-progress at any one time across all channels.
> diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
> index 2c18c8e768efe..7387bb41f6a37 100644
> --- a/include/linux/hyperv.h
> +++ b/include/linux/hyperv.h
> @@ -181,6 +181,10 @@ struct hv_ring_buffer_info {
> * being freed while the ring buffer is being accessed.
> */
> struct mutex ring_buffer_mutex;
> +
> + /* Buffer that holds a copy of an incoming host packet */
> + void *pkt_buffer;
> + u32 pkt_buffer_size;
> };
>
>
> @@ -788,6 +792,8 @@ struct vmbus_device {
> bool allowed_in_isolated;
> };
>
> +#define VMBUS_DEFAULT_MAX_PKT_SIZE 4096
> +
> struct vmbus_channel {
> struct list_head listentry;
>
> @@ -1010,6 +1016,9 @@ struct vmbus_channel {
> /* request/transaction ids for VMBus */
> struct vmbus_requestor requestor;
> u32 rqstor_size;
> +
> + /* The max size of a packet on this channel */
> + u32 max_pkt_size;
> };
>
> u64 vmbus_next_request_id(struct vmbus_requestor *rqstor, u64 rqst_addr);
> @@ -1651,32 +1660,55 @@ static inline u32 hv_pkt_datalen(const struct
> vmpacket_descriptor *desc)
> }
>
>
> +struct vmpacket_descriptor *
> +hv_pkt_iter_first_raw(struct vmbus_channel *channel);
> +
> struct vmpacket_descriptor *
> hv_pkt_iter_first(struct vmbus_channel *channel);
>
> struct vmpacket_descriptor *
> __hv_pkt_iter_next(struct vmbus_channel *channel,
> - const struct vmpacket_descriptor *pkt);
> + const struct vmpacket_descriptor *pkt,
> + bool copy);
>
> void hv_pkt_iter_close(struct vmbus_channel *channel);
>
> -/*
> - * Get next packet descriptor from iterator
> - * If at end of list, return NULL and update host.
> - */
> static inline struct vmpacket_descriptor *
> -hv_pkt_iter_next(struct vmbus_channel *channel,
> - const struct vmpacket_descriptor *pkt)
> +hv_pkt_iter_next_pkt(struct vmbus_channel *channel,
> + const struct vmpacket_descriptor *pkt,
> + bool copy)
> {
> struct vmpacket_descriptor *nxt;
>
> - nxt = __hv_pkt_iter_next(channel, pkt);
> + nxt = __hv_pkt_iter_next(channel, pkt, copy);
> if (!nxt)
> hv_pkt_iter_close(channel);
>
> return nxt;
> }
>
> +/*
> + * Get next packet descriptor without copying it out of the ring buffer
> + * If at end of list, return NULL and update host.
> + */
> +static inline struct vmpacket_descriptor *
> +hv_pkt_iter_next_raw(struct vmbus_channel *channel,
> + const struct vmpacket_descriptor *pkt)
> +{
> + return hv_pkt_iter_next_pkt(channel, pkt, false);
> +}
> +
> +/*
> + * Get next packet descriptor from iterator
> + * If at end of list, return NULL and update host.
> + */
> +static inline struct vmpacket_descriptor *
> +hv_pkt_iter_next(struct vmbus_channel *channel,
> + const struct vmpacket_descriptor *pkt)
> +{
> + return hv_pkt_iter_next_pkt(channel, pkt, true);
> +}
> +
> #define foreach_vmbus_pkt(pkt, channel) \
> for (pkt = hv_pkt_iter_first(channel); pkt; \
> pkt = hv_pkt_iter_next(channel, pkt))
> diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
> index cc3bae2659e79..19189cf30a72f 100644
> --- a/net/vmw_vsock/hyperv_transport.c
> +++ b/net/vmw_vsock/hyperv_transport.c
> @@ -596,7 +596,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk, struct
> msghdr *msg,
> return -EOPNOTSUPP;
>
> if (need_refill) {
> - hvs->recv_desc = hv_pkt_iter_first(hvs->chan);
> + hvs->recv_desc = hv_pkt_iter_first_raw(hvs->chan);
> ret = hvs_update_recv_data(hvs);
> if (ret)
> return ret;
> @@ -610,7 +610,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk, struct
> msghdr *msg,
>
> hvs->recv_data_len -= to_read;
> if (hvs->recv_data_len == 0) {
> - hvs->recv_desc = hv_pkt_iter_next(hvs->chan, hvs->recv_desc);
> + hvs->recv_desc = hv_pkt_iter_next_raw(hvs->chan, hvs->recv_desc);
> if (hvs->recv_desc) {
> ret = hvs_update_recv_data(hvs);
> if (ret)
> --
> 2.25.1

2021-04-09 17:22:13

by Andrea Parri

[permalink] [raw]
Subject: Re: [PATCH hyperv-next] Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer

On Fri, Apr 09, 2021 at 03:49:00PM +0000, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) <[email protected]> Sent: Thursday, April 8, 2021 9:15 AM
> >
> > Pointers to ring-buffer packets sent by Hyper-V are used within the
> > guest VM. Hyper-V can send packets with erroneous values or modify
> > packet fields after they are processed by the guest. To defend
> > against these scenarios, return a copy of the incoming VMBus packet
> > after validating its length and offset fields in hv_pkt_iter_first().
> > In this way, the packet can no longer be modified by the host.
>
> Andrea -- has anything changed in this version of this patch, except
> the value of NETVSC_MAX_XFER_PAGE_RANGES? It used to be a
> fixed 375, but now is NVSP_RSC_MAX, which is 562.
>
> If that's the only change, then
>
> Reviewed-by: Michael Kelley <[email protected]>

The only change here is indeed the value of NETVSC_MAX_XFER_PAGE_RANGES,
apologies for the omission of the changelog.

Thanks for the review.

Andrea

2021-05-06 17:54:14

by Wei Liu

[permalink] [raw]
Subject: Re: [PATCH hyperv-next] Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer

On Thu, Apr 08, 2021 at 06:14:39PM +0200, Andrea Parri (Microsoft) wrote:
> From: Andres Beltran <[email protected]>
>
> Pointers to ring-buffer packets sent by Hyper-V are used within the
> guest VM. Hyper-V can send packets with erroneous values or modify
> packet fields after they are processed by the guest. To defend
> against these scenarios, return a copy of the incoming VMBus packet
> after validating its length and offset fields in hv_pkt_iter_first().
> In this way, the packet can no longer be modified by the host.
>
> Signed-off-by: Andres Beltran <[email protected]>
> Co-developed-by: Andrea Parri (Microsoft) <[email protected]>
> Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> ---
> drivers/hv/channel.c | 9 ++--
> drivers/hv/hv_fcopy.c | 1 +
> drivers/hv/hv_kvp.c | 1 +
> drivers/hv/hyperv_vmbus.h | 2 +-
> drivers/hv/ring_buffer.c | 82 ++++++++++++++++++++++++++-----
> drivers/net/hyperv/hyperv_net.h | 7 +++
> drivers/net/hyperv/netvsc.c | 2 +
> drivers/net/hyperv/rndis_filter.c | 2 +
> drivers/scsi/storvsc_drv.c | 10 ++++
> include/linux/hyperv.h | 48 +++++++++++++++---
> net/vmw_vsock/hyperv_transport.c | 4 +-
> 11 files changed, 143 insertions(+), 25 deletions(-)

In theory this patch needs acks from network and scsi maintainers, but
the changes are so small and specific to Hyper-V drivers. In the
interest of making progress, I will be picking up this patch shortly
unless I hear objections.


Wei.

2021-05-10 17:34:27

by Wei Liu

[permalink] [raw]
Subject: Re: [PATCH hyperv-next] Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer

On Thu, May 06, 2021 at 05:49:45PM +0000, Wei Liu wrote:
> On Thu, Apr 08, 2021 at 06:14:39PM +0200, Andrea Parri (Microsoft) wrote:
> > From: Andres Beltran <[email protected]>
> >
> > Pointers to ring-buffer packets sent by Hyper-V are used within the
> > guest VM. Hyper-V can send packets with erroneous values or modify
> > packet fields after they are processed by the guest. To defend
> > against these scenarios, return a copy of the incoming VMBus packet
> > after validating its length and offset fields in hv_pkt_iter_first().
> > In this way, the packet can no longer be modified by the host.
> >
> > Signed-off-by: Andres Beltran <[email protected]>
> > Co-developed-by: Andrea Parri (Microsoft) <[email protected]>
> > Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> > ---
> > drivers/hv/channel.c | 9 ++--
> > drivers/hv/hv_fcopy.c | 1 +
> > drivers/hv/hv_kvp.c | 1 +
> > drivers/hv/hyperv_vmbus.h | 2 +-
> > drivers/hv/ring_buffer.c | 82 ++++++++++++++++++++++++++-----
> > drivers/net/hyperv/hyperv_net.h | 7 +++
> > drivers/net/hyperv/netvsc.c | 2 +
> > drivers/net/hyperv/rndis_filter.c | 2 +
> > drivers/scsi/storvsc_drv.c | 10 ++++
> > include/linux/hyperv.h | 48 +++++++++++++++---
> > net/vmw_vsock/hyperv_transport.c | 4 +-
> > 11 files changed, 143 insertions(+), 25 deletions(-)
>
> In theory this patch needs acks from network and scsi maintainers, but
> the changes are so small and specific to Hyper-V drivers. In the
> interest of making progress, I will be picking up this patch shortly
> unless I hear objections.

Applied to hyperv-next.

Wei.