Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp56093pxy; Tue, 20 Apr 2021 20:25:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxNHq/VEIKp6GotdKGfQL3ESnZpCbLouFOxGutYCjb6FAGq+5B5AujVMsCitRO6KR3kF4jU X-Received: by 2002:a17:907:629e:: with SMTP id nd30mr30450527ejc.407.1618975501990; Tue, 20 Apr 2021 20:25:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618975501; cv=none; d=google.com; s=arc-20160816; b=zAbCXg+ShkyMXOd6sRt8yUKupZpHO/F4146/jzSfWjk+GIbhPHShwAuMR+sXqkpF9/ IbQQIlwib+jPcagsS5HU+Ut7xu8C9Ffg8EBCrDQFEucwQjYX3yw810pMUAV1SZjlWOxl 23w+I+aF9qGVul5KcNqhqukYsVDeNX9DPw24bnsE/gEGvdX0WATEOi7NjZQsqOuUDfje YSqnq21d83J5tOE6Fc1mvGzyu3dYn1gDrkgBPDYpMGBPZMN2YIE1cSTOpkvo2Nn/ieHr 7JQ5QtAbSwlxkH4V/p3HWnB+AEm4rlFJt2vJkM6U91ERBYNawS9LoJ2blUM1qb6VFqtx /BQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=AbiiXanJPfz96ay/qiIqUUYDY4TZVIjkqLicSiV3UY4=; b=geH1+1jOql/5I+4CDSi+wTpusv0z1/GT2+det6Vw3PEtpNMTRfjf4MMp9hEb4SxMy6 uf6jmB2EcYH0Uxl9kJLXiQWfqkHiJWq2CP4WOzP+ZhsQLbv5wX+df7zI/sqzrXY3SX11 lPuEKXG90FJhtYWMDS9D/bGLT+KSm4EV8k4ZICPidAV2oYgf0G5DtT+5OKG+evQHLKeT VUVZAEeiovcSUraFyeVFgbQgyb3nkQp1Vk+J/kq9LKaoTJZnjzrJC99Mtfw4njoK48TV HeNQScHAXd0x31LcznS+j9J+wxSUFxZkBfIGnBIEAHVfStY91ezviVyS81Tf5LfbEIzb /UiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=LRbKrJw6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g21si892106edb.82.2021.04.20.20.24.38; Tue, 20 Apr 2021 20:25:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=LRbKrJw6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234954AbhDUDXK (ORCPT + 99 others); Tue, 20 Apr 2021 23:23:10 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:20553 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234835AbhDUDWh (ORCPT ); Tue, 20 Apr 2021 23:22:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1618975325; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AbiiXanJPfz96ay/qiIqUUYDY4TZVIjkqLicSiV3UY4=; b=LRbKrJw65bz1gLj4tqdONy+YWGwNCtp9ekJrpz4HT1FuFL3y/8Z2e15JdE3AvND0rVLKPo 35EWzNtiv7hyD3sMa2opaO1MxcCRb+N03RPy/SAZJ5vxb+wdGQGnBesbxk5kpvh9eiGfI6 qg7lFL6M8OjvXYg0K4BfkJ2T6BQ0JXs= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-31-kVxw3Ia9OT-ZVocFCigZRw-1; Tue, 20 Apr 2021 23:22:01 -0400 X-MC-Unique: kVxw3Ia9OT-ZVocFCigZRw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 74573343A3; Wed, 21 Apr 2021 03:21:59 +0000 (UTC) Received: from localhost.localdomain (ovpn-13-189.pek2.redhat.com [10.72.13.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id ADFAE5B4A6; Wed, 21 Apr 2021 03:21:55 +0000 (UTC) From: Jason Wang To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, xieyongji@bytedance.com, stefanha@redhat.com, file@sect.tu-berlin.de, ashish.kalra@amd.com, martin.radev@aisec.fraunhofer.de, konrad.wilk@oracle.com, kvm@vger.kernel.org Subject: [RFC PATCH 4/7] virtio_ring: secure handling of mapping errors Date: Wed, 21 Apr 2021 11:21:14 +0800 Message-Id: <20210421032117.5177-5-jasowang@redhat.com> In-Reply-To: <20210421032117.5177-1-jasowang@redhat.com> References: <20210421032117.5177-1-jasowang@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org We should not depend on the DMA address, length and flag of descriptor table since they could be wrote with arbitrary value by the device. So this patch switches to use the stored one in desc_extra. Note that the indirect descriptors are fine since they are read-only streaming mappings. Signed-off-by: Jason Wang --- drivers/virtio/virtio_ring.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c index 0cdd965dba58..5509c2643fb1 100644 --- a/drivers/virtio/virtio_ring.c +++ b/drivers/virtio/virtio_ring.c @@ -1213,13 +1213,16 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, unmap_release: err_idx = i; i = head; + curr = vq->free_head; vq->packed.avail_used_flags = avail_used_flags; for (n = 0; n < total_sg; n++) { if (i == err_idx) break; - vring_unmap_desc_packed(vq, &desc[i]); + vring_unmap_state_packed(vq, + &vq->packed.desc_extra[curr]); + curr = vq->packed.desc_extra[curr].next; i++; if (i >= vq->packed.vring.num) i = 0; -- 2.25.1