2022-04-14 19:20:14

by Andrea Parri

[permalink] [raw]
Subject: [RFC PATCH 2/6] hv_sock: Copy packets sent by Hyper-V out of the ring buffer

Pointers to VMbus packets sent by Hyper-V are used by the hv_sock driver
within the gues VM. Hyper-V can send packets with erroneous values or
modify packet fields after they are processed by the guest. To defend
against these scenarios, copy the incoming packet after validating its
length and offset fields using hv_pkt_iter_{first,next}(). In this way,
the packet can no longer be modified by the host.

Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
---
net/vmw_vsock/hyperv_transport.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index 943352530936e..8c37d07017fc4 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -78,6 +78,9 @@ struct hvs_send_buf {
ALIGN((payload_len), 8) + \
VMBUS_PKT_TRAILER_SIZE)

+/* Upper bound on the size of a VMbus packet for hv_sock */
+#define HVS_MAX_PKT_SIZE HVS_PKT_LEN(HVS_MTU_SIZE)
+
union hvs_service_id {
guid_t srv_id;

@@ -378,6 +381,8 @@ static void hvs_open_connection(struct vmbus_channel *chan)
rcvbuf = ALIGN(rcvbuf, HV_HYP_PAGE_SIZE);
}

+ chan->max_pkt_size = HVS_MAX_PKT_SIZE;
+
ret = vmbus_open(chan, sndbuf, rcvbuf, NULL, 0, hvs_channel_cb,
conn_from_host ? new : sk);
if (ret != 0) {
@@ -602,7 +607,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk, struct msghdr *msg,
return -EOPNOTSUPP;

if (need_refill) {
- hvs->recv_desc = hv_pkt_iter_first_raw(hvs->chan);
+ hvs->recv_desc = hv_pkt_iter_first(hvs->chan);
if (!hvs->recv_desc)
return -ENOBUFS;
ret = hvs_update_recv_data(hvs);
@@ -618,7 +623,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk, struct msghdr *msg,

hvs->recv_data_len -= to_read;
if (hvs->recv_data_len == 0) {
- hvs->recv_desc = hv_pkt_iter_next_raw(hvs->chan, hvs->recv_desc);
+ hvs->recv_desc = hv_pkt_iter_next(hvs->chan, hvs->recv_desc);
if (hvs->recv_desc) {
ret = hvs_update_recv_data(hvs);
if (ret)
--
2.25.1


2022-04-15 22:02:21

by Andrea Parri

[permalink] [raw]
Subject: Re: [RFC PATCH 2/6] hv_sock: Copy packets sent by Hyper-V out of the ring buffer

On Fri, Apr 15, 2022 at 03:33:31AM +0000, Michael Kelley (LINUX) wrote:
> From: Andrea Parri (Microsoft) <[email protected]> Sent: Wednesday, April 13, 2022 1:48 PM
> >
> > Pointers to VMbus packets sent by Hyper-V are used by the hv_sock driver
> > within the gues VM. Hyper-V can send packets with erroneous values or
>
> s/gues/guest/

Fixed.

Thanks,
Andrea

2022-04-16 01:49:57

by Michael Kelley (LINUX)

[permalink] [raw]
Subject: RE: [RFC PATCH 2/6] hv_sock: Copy packets sent by Hyper-V out of the ring buffer

From: Andrea Parri (Microsoft) <[email protected]> Sent: Wednesday, April 13, 2022 1:48 PM
>
> Pointers to VMbus packets sent by Hyper-V are used by the hv_sock driver
> within the gues VM. Hyper-V can send packets with erroneous values or

s/gues/guest/

> modify packet fields after they are processed by the guest. To defend
> against these scenarios, copy the incoming packet after validating its
> length and offset fields using hv_pkt_iter_{first,next}(). In this way,
> the packet can no longer be modified by the host.
>
> Signed-off-by: Andrea Parri (Microsoft) <[email protected]>
> ---
> net/vmw_vsock/hyperv_transport.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
> index 943352530936e..8c37d07017fc4 100644
> --- a/net/vmw_vsock/hyperv_transport.c
> +++ b/net/vmw_vsock/hyperv_transport.c
> @@ -78,6 +78,9 @@ struct hvs_send_buf {
> ALIGN((payload_len), 8) + \
> VMBUS_PKT_TRAILER_SIZE)
>
> +/* Upper bound on the size of a VMbus packet for hv_sock */
> +#define HVS_MAX_PKT_SIZE HVS_PKT_LEN(HVS_MTU_SIZE)
> +
> union hvs_service_id {
> guid_t srv_id;
>
> @@ -378,6 +381,8 @@ static void hvs_open_connection(struct vmbus_channel *chan)
> rcvbuf = ALIGN(rcvbuf, HV_HYP_PAGE_SIZE);
> }
>
> + chan->max_pkt_size = HVS_MAX_PKT_SIZE;
> +
> ret = vmbus_open(chan, sndbuf, rcvbuf, NULL, 0, hvs_channel_cb,
> conn_from_host ? new : sk);
> if (ret != 0) {
> @@ -602,7 +607,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk,
> struct msghdr *msg,
> return -EOPNOTSUPP;
>
> if (need_refill) {
> - hvs->recv_desc = hv_pkt_iter_first_raw(hvs->chan);
> + hvs->recv_desc = hv_pkt_iter_first(hvs->chan);
> if (!hvs->recv_desc)
> return -ENOBUFS;
> ret = hvs_update_recv_data(hvs);
> @@ -618,7 +623,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk,
> struct msghdr *msg,
>
> hvs->recv_data_len -= to_read;
> if (hvs->recv_data_len == 0) {
> - hvs->recv_desc = hv_pkt_iter_next_raw(hvs->chan, hvs->recv_desc);
> + hvs->recv_desc = hv_pkt_iter_next(hvs->chan, hvs->recv_desc);
> if (hvs->recv_desc) {
> ret = hvs_update_recv_data(hvs);
> if (ret)
> --
> 2.25.1