Current virtio device drivers may trust the used length returned
in virtqueue_get_buf()/virtqueue_get_buf_ctx(). But the used length
might come from an untrusted device when VDUSE[1] is enabled. To
protect this case, this series tries to add validation for the
used length.
Since many legacy devices will also set the used length incorrectly,
we did not add the validation unconditionally. Instead, we will do
the validation only when the device driver needs the used length.
A NULL len passed to virtqueue_get_buf()/virtqueue_get_buf_ctx()
will mean the used length is not needed by the device driver.
[1] https://lore.kernel.org/kvm/[email protected]/
Xie Yongji (17):
virtio_ring: Avoid reading unneeded used length
virtio-blk: Remove unused used length
virtio_console: Remove unused used length
crypto: virtio - Remove unused used length
drm/virtio: Remove unused used length
caif_virtio: Remove unused used length
virtio_net: Remove unused used length
mac80211_hwsim: Remove unused used length
virtio_pmem: Remove unused used length
rpmsg: virtio: Remove unused used length
virtio_scsi: Remove unused used length
virtio_balloon: Remove unused used length
virtio_input: Remove unused used length
virtio_mem: Remove unused used length
virtiofs: Remove unused used length
vsock: Remove unused used length
virtio_ring: Add validation for used length
drivers/block/virtio_blk.c | 3 +--
drivers/char/virtio_console.c | 12 ++++--------
drivers/crypto/virtio/virtio_crypto_algs.c | 6 ++----
drivers/gpu/drm/virtio/virtgpu_vq.c | 3 +--
drivers/net/caif/caif_virtio.c | 3 +--
drivers/net/virtio_net.c | 10 ++++------
drivers/net/wireless/mac80211_hwsim.c | 3 +--
drivers/nvdimm/nd_virtio.c | 3 +--
drivers/rpmsg/virtio_rpmsg_bus.c | 3 +--
drivers/scsi/virtio_scsi.c | 3 +--
drivers/virtio/virtio_balloon.c | 21 ++++++++++-----------
drivers/virtio/virtio_input.c | 6 ++----
drivers/virtio/virtio_mem.c | 3 +--
drivers/virtio/virtio_ring.c | 28 +++++++++++++++++++++++-----
fs/fuse/virtio_fs.c | 6 ++----
net/vmw_vsock/virtio_transport.c | 3 +--
16 files changed, 56 insertions(+), 60 deletions(-)
--
2.11.0
If device driver doesn't need used length, it can pass a NULL
len in virtqueue_get_buf()/virtqueue_get_buf_ctx(). Then
we can avoid reading and validating the len value in used
ring entries.
Signed-off-by: Xie Yongji <[email protected]>
---
drivers/virtio/virtio_ring.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 54e12dd91310..d999a1d6d271 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -772,7 +772,8 @@ static void *virtqueue_get_buf_ctx_split(struct virtqueue *_vq,
last_used = (vq->last_used_idx & (vq->split.vring.num - 1));
i = virtio32_to_cpu(_vq->vdev,
vq->split.vring.used->ring[last_used].id);
- *len = virtio32_to_cpu(_vq->vdev,
+ if (len)
+ *len = virtio32_to_cpu(_vq->vdev,
vq->split.vring.used->ring[last_used].len);
if (unlikely(i >= vq->split.vring.num)) {
@@ -1444,7 +1445,8 @@ static void *virtqueue_get_buf_ctx_packed(struct virtqueue *_vq,
last_used = vq->last_used_idx;
id = le16_to_cpu(vq->packed.vring.desc[last_used].id);
- *len = le32_to_cpu(vq->packed.vring.desc[last_used].len);
+ if (len)
+ *len = le32_to_cpu(vq->packed.vring.desc[last_used].len);
if (unlikely(id >= vq->packed.vring.num)) {
BAD_RING(vq, "id %u out of range\n", id);
--
2.11.0
On Mon, 2021-05-17 at 17:08 +0800, Xie Yongji wrote:
> If device driver doesn't need used length, it can pass a NULL
> len in virtqueue_get_buf()/virtqueue_get_buf_ctx().
>
Well, actually, it can't right now?
You should probably rephrase this, saying something like
Allow passing NULL to len in ... if the device driver doesn't need
the length, and don't read it in that case.
or so?
> Then
> we can avoid reading and validating the len value in used
> ring entries.
Not sure what that "validating" is about, I only see reading?
johannes
On Mon, May 17, 2021 at 5:12 PM Johannes Berg <[email protected]> wrote:
>
> On Mon, 2021-05-17 at 17:08 +0800, Xie Yongji wrote:
> > If device driver doesn't need used length, it can pass a NULL
> > len in virtqueue_get_buf()/virtqueue_get_buf_ctx().
> >
>
> Well, actually, it can't right now?
>
Yes.
> You should probably rephrase this, saying something like
>
> Allow passing NULL to len in ... if the device driver doesn't need
> the length, and don't read it in that case.
>
> or so?
>
Looks good to me.
> > Then
> > we can avoid reading and validating the len value in used
> > ring entries.
>
> Not sure what that "validating" is about, I only see reading?
>
The “validating" is actually done in the last patch of this series.
Will remove it.
Thanks,
Yongji
On Mon, May 17, 2021 at 05:08:19PM +0800, Xie Yongji wrote:
> Current virtio device drivers may trust the used length returned
> in virtqueue_get_buf()/virtqueue_get_buf_ctx(). But the used length
> might come from an untrusted device when VDUSE[1] is enabled. To
> protect this case, this series tries to add validation for the
> used length.
>
> Since many legacy devices will also set the used length incorrectly,
> we did not add the validation unconditionally. Instead, we will do
> the validation only when the device driver needs the used length.
> A NULL len passed to virtqueue_get_buf()/virtqueue_get_buf_ctx()
> will mean the used length is not needed by the device driver.
Can we be more specific? Which drivers have problems when used len
is incorrect? Maybe there's an easier way like validating the length
in the driver ...
> [1] https://lore.kernel.org/kvm/[email protected]/
>
> Xie Yongji (17):
> virtio_ring: Avoid reading unneeded used length
> virtio-blk: Remove unused used length
> virtio_console: Remove unused used length
> crypto: virtio - Remove unused used length
> drm/virtio: Remove unused used length
> caif_virtio: Remove unused used length
> virtio_net: Remove unused used length
> mac80211_hwsim: Remove unused used length
> virtio_pmem: Remove unused used length
> rpmsg: virtio: Remove unused used length
> virtio_scsi: Remove unused used length
> virtio_balloon: Remove unused used length
> virtio_input: Remove unused used length
> virtio_mem: Remove unused used length
> virtiofs: Remove unused used length
> vsock: Remove unused used length
> virtio_ring: Add validation for used length
>
> drivers/block/virtio_blk.c | 3 +--
> drivers/char/virtio_console.c | 12 ++++--------
> drivers/crypto/virtio/virtio_crypto_algs.c | 6 ++----
> drivers/gpu/drm/virtio/virtgpu_vq.c | 3 +--
> drivers/net/caif/caif_virtio.c | 3 +--
> drivers/net/virtio_net.c | 10 ++++------
> drivers/net/wireless/mac80211_hwsim.c | 3 +--
> drivers/nvdimm/nd_virtio.c | 3 +--
> drivers/rpmsg/virtio_rpmsg_bus.c | 3 +--
> drivers/scsi/virtio_scsi.c | 3 +--
> drivers/virtio/virtio_balloon.c | 21 ++++++++++-----------
> drivers/virtio/virtio_input.c | 6 ++----
> drivers/virtio/virtio_mem.c | 3 +--
> drivers/virtio/virtio_ring.c | 28 +++++++++++++++++++++++-----
> fs/fuse/virtio_fs.c | 6 ++----
> net/vmw_vsock/virtio_transport.c | 3 +--
> 16 files changed, 56 insertions(+), 60 deletions(-)
>
> --
> 2.11.0
On Tue, May 18, 2021 at 7:40 AM Michael S. Tsirkin <[email protected]> wrote:
>
> On Mon, May 17, 2021 at 05:08:19PM +0800, Xie Yongji wrote:
> > Current virtio device drivers may trust the used length returned
> > in virtqueue_get_buf()/virtqueue_get_buf_ctx(). But the used length
> > might come from an untrusted device when VDUSE[1] is enabled. To
> > protect this case, this series tries to add validation for the
> > used length.
> >
> > Since many legacy devices will also set the used length incorrectly,
> > we did not add the validation unconditionally. Instead, we will do
> > the validation only when the device driver needs the used length.
> > A NULL len passed to virtqueue_get_buf()/virtqueue_get_buf_ctx()
> > will mean the used length is not needed by the device driver.
>
> Can we be more specific? Which drivers have problems when used len
> is incorrect? Maybe there's an easier way like validating the length
> in the driver ...
>
It's ok to me. But this means all future new drivers need to remember
to do the validation.
Now only virtio-net and virtio-console drivers have this problem. I
can send some patches to fix it.
Thanks,
Yongji
On Tue, May 18, 2021 at 04:29:44PM +0800, Yongji Xie wrote:
> On Tue, May 18, 2021 at 7:40 AM Michael S. Tsirkin <[email protected]> wrote:
> >
> > On Mon, May 17, 2021 at 05:08:19PM +0800, Xie Yongji wrote:
> > > Current virtio device drivers may trust the used length returned
> > > in virtqueue_get_buf()/virtqueue_get_buf_ctx(). But the used length
> > > might come from an untrusted device when VDUSE[1] is enabled. To
> > > protect this case, this series tries to add validation for the
> > > used length.
> > >
> > > Since many legacy devices will also set the used length incorrectly,
> > > we did not add the validation unconditionally. Instead, we will do
> > > the validation only when the device driver needs the used length.
> > > A NULL len passed to virtqueue_get_buf()/virtqueue_get_buf_ctx()
> > > will mean the used length is not needed by the device driver.
> >
> > Can we be more specific? Which drivers have problems when used len
> > is incorrect? Maybe there's an easier way like validating the length
> > in the driver ...
> >
>
> It's ok to me. But this means all future new drivers need to remember
> to do the validation.
>
> Now only virtio-net and virtio-console drivers have this problem. I
> can send some patches to fix it.
>
> Thanks,
> Yongji
I'd say let's just document the requirement for now.
--
MST
On Tue, May 18, 2021 at 5:52 PM Michael S. Tsirkin <[email protected]> wrote:
>
> On Tue, May 18, 2021 at 04:29:44PM +0800, Yongji Xie wrote:
> > On Tue, May 18, 2021 at 7:40 AM Michael S. Tsirkin <[email protected]> wrote:
> > >
> > > On Mon, May 17, 2021 at 05:08:19PM +0800, Xie Yongji wrote:
> > > > Current virtio device drivers may trust the used length returned
> > > > in virtqueue_get_buf()/virtqueue_get_buf_ctx(). But the used length
> > > > might come from an untrusted device when VDUSE[1] is enabled. To
> > > > protect this case, this series tries to add validation for the
> > > > used length.
> > > >
> > > > Since many legacy devices will also set the used length incorrectly,
> > > > we did not add the validation unconditionally. Instead, we will do
> > > > the validation only when the device driver needs the used length.
> > > > A NULL len passed to virtqueue_get_buf()/virtqueue_get_buf_ctx()
> > > > will mean the used length is not needed by the device driver.
> > >
> > > Can we be more specific? Which drivers have problems when used len
> > > is incorrect? Maybe there's an easier way like validating the length
> > > in the driver ...
> > >
> >
> > It's ok to me. But this means all future new drivers need to remember
> > to do the validation.
> >
> > Now only virtio-net and virtio-console drivers have this problem. I
> > can send some patches to fix it.
> >
> > Thanks,
> > Yongji
>
> I'd say let's just document the requirement for now.
>
It's fine with me.
Thanks,
Yongji