Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp216328pxj; Thu, 13 May 2021 03:18:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwBpFMuak8ZuZ+seqQBqMVtaBotq3EyTmcgQvI82FPnoJpZjTfHIvQd9uq2XR5jbV+ptOYh X-Received: by 2002:a05:6e02:2162:: with SMTP id s2mr34905179ilv.237.1620901086922; Thu, 13 May 2021 03:18:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620901086; cv=none; d=google.com; s=arc-20160816; b=spaS9TRwUPnTo4L0JM/nSyzj6Iosioec/y6IQA8eAreOQsR+MIknO6VspE4JEr1Dh4 MGqnc0gdzBCwJhBRUHGpc31k3QrphzbAHweOR6CN/Q5V4M3WwGFzoqYsC8jk970j5yRT 8pjas/Vb/3mzg4vLXVoP5Dsfio2JjRiFLlpikN1nJzp/HAxi3r40dsytd3FETzdNeszv Eq+jOOf/MNIV+vImxFkleqvFqvpB6bbSYJ+gzcuZG6VZbHF30uR1I5s0i4ZznV9FiaFt 9w15QVNL/4d/WIOxr/uksCQi9qp9KzymomTXq6E429XN5HqboNZ/m6bu7Cn01L46KcCz XhHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=mSXvMzPiVbs1p8U5teTrqe++A9Kur1ffFfsRtolTEq4=; b=GQ5YHbVrl3HZgId9zMxwTFWeLqfEIX8QWAg13WhhwXTrtHE7OM9Ee7w1yp97fzlvBQ arE6e3+FEvJ2FKLQNRUYaAG9QgJJI2kAkVS/cSnh+qJNZhYu4qfPjQynuM+dtde4qwh7 Syt7nWnECJdnybjjhjC8mbegVeyAH0HLnOcas2edVvXk32YUeGBlBcg9AHjnCIXZYTwa CgBnS0ZILn4e9wTH4+JtmjmMzY6CDWSLDZAq4GBgyqPWlDzv6iHrJ7e3XcxS3WWZlhQQ 8TedrB5in4a0Fg3HypmMld++Zkz4ObAE/KcEmCERSS2Xh6FjMWblvPqBmnYHzL+6Gjl/ mweg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=Bt3HWyrB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k7si3337694iok.65.2021.05.13.03.17.54; Thu, 13 May 2021 03:18:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=Bt3HWyrB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232842AbhEMKE2 (ORCPT + 99 others); Thu, 13 May 2021 06:04:28 -0400 Received: from mx2.suse.de ([195.135.220.15]:37384 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232803AbhEMKEQ (ORCPT ); Thu, 13 May 2021 06:04:16 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1620900185; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=mSXvMzPiVbs1p8U5teTrqe++A9Kur1ffFfsRtolTEq4=; b=Bt3HWyrBQzhFA/VHRnLOrbIQmpMXluR0avJegIDgYP/25lKg9FIZAPmZkKNNj4Tn46vHsx DqH+iMtGCUU89BF3407TPvLq70y+9QiQwuomJ/KD69JlH6Mpq8EAgwwGKMJeCtvkebsFoG WMLd9rAM4L+C5WZX30UyH56rbG89gqM= Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 85808AFE5; Thu, 13 May 2021 10:03:05 +0000 (UTC) From: Juergen Gross To: xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org, linux-block@vger.kernel.org, netdev@vger.kernel.org, linuxppc-dev@lists.ozlabs.org Cc: Juergen Gross , Boris Ostrovsky , Stefano Stabellini , Konrad Rzeszutek Wilk , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= , Jens Axboe , "David S. Miller" , Jakub Kicinski , Greg Kroah-Hartman , Jiri Slaby Subject: [PATCH 0/8] xen: harden frontends against malicious backends Date: Thu, 13 May 2021 12:02:54 +0200 Message-Id: <20210513100302.22027-1-jgross@suse.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Xen backends of para-virtualized devices can live in dom0 kernel, dom0 user land, or in a driver domain. This means that a backend might reside in a less trusted environment than the Xen core components, so a backend should not be able to do harm to a Xen guest (it can still mess up I/O data, but it shouldn't be able to e.g. crash a guest by other means or cause a privilege escalation in the guest). Unfortunately many frontends in the Linux kernel are fully trusting their respective backends. This series is starting to fix the most important frontends: console, disk and network. It was discussed to handle this as a security problem, but the topic was discussed in public before, so it isn't a real secret. Juergen Gross (8): xen: sync include/xen/interface/io/ring.h with Xen's newest version xen/blkfront: read response from backend only once xen/blkfront: don't take local copy of a request from the ring page xen/blkfront: don't trust the backend response data blindly xen/netfront: read response from backend only once xen/netfront: don't read data from request on the ring page xen/netfront: don't trust the backend response data blindly xen/hvc: replace BUG_ON() with negative return value drivers/block/xen-blkfront.c | 118 +++++++++----- drivers/net/xen-netfront.c | 184 ++++++++++++++------- drivers/tty/hvc/hvc_xen.c | 15 +- include/xen/interface/io/ring.h | 278 ++++++++++++++++++-------------- 4 files changed, 369 insertions(+), 226 deletions(-) -- 2.26.2