Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp1741602pxb; Mon, 23 Aug 2021 03:34:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy5Hbil6WyXj8jxciMyg2JRh2j7RB09DAijFjHvNM03+lh/DcdIPFrw1YNl6zJZbl5PDigg X-Received: by 2002:a92:ab0c:: with SMTP id v12mr8079503ilh.292.1629714895598; Mon, 23 Aug 2021 03:34:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629714895; cv=none; d=google.com; s=arc-20160816; b=cGgCnnjqFo1f6pXGgGsSmTs76VgIe/aWl5eBjK7G8KsCmyvxY0sGMH75eQItRwnzM/ cZ6ak5OXYndUnPxRdTOKLMBUqWtuesPC1uh7ZR5W4bVjZ3m7twsGgdbbRAB3qKrVs/RP G+X44aJBTzL6+w3BoE/Xbu/2h260HcLpPekBBr+E+xze9OtpGqSoarWA+yNu2wj61DnD hEAwT6gPTQvMsiP74DhG2YXMpOGi5TWn1BipHXEYseO5SuXuVSM9f3nz6feyC8IyNNak 56q6M/t9kKv4aFdOvoiuNxD3A8/odF1Ax6qRlHSPLudwLtopFwp8FaoijuTorBYUIv/Z 8t3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=g/DY+OKWTsrv1NoEpSDvo3NhS3o2ve347PTYrzSDCA4=; b=0ynhr7v9hBoc+syCWXl4l1qjFNm9FV7eNSeFBHzJFS+cqWyHwBS2ceACyBIP63MJfz GukavS4dfJb4m1d+Hb9VQ2mNvD9aViJP6xiD4dZX6EbXpuuxVrbEpPTZKbOPh4Xz7bIP dCOpuY+Nfk9Vh9LajzNw+7ryS5Sc/ocfK+8+/mgrurw/afNqFnkPcLikRZ/pfRe8IxL7 0TK/H6VuMzzSLLwGlKgyUS+tYop9NTYaNF7cmSobr1Ey0oa/P5sxBsuus//ae1MAHGQ/ LrC1/fovVC3bfepd6Y1LT4+//gFYIOBLFsiYoOXPK2Su4EjJrkN0Okmcyyqnm/IKuSJU hyIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=axMEufMV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v2si16305647ilc.51.2021.08.23.03.34.44; Mon, 23 Aug 2021 03:34:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance-com.20150623.gappssmtp.com header.s=20150623 header.b=axMEufMV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bytedance.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236136AbhHWKeO (ORCPT + 99 others); Mon, 23 Aug 2021 06:34:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236214AbhHWKeL (ORCPT ); Mon, 23 Aug 2021 06:34:11 -0400 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB12FC061757 for ; Mon, 23 Aug 2021 03:33:26 -0700 (PDT) Received: by mail-ej1-x629.google.com with SMTP id d11so35893072eja.8 for ; Mon, 23 Aug 2021 03:33:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g/DY+OKWTsrv1NoEpSDvo3NhS3o2ve347PTYrzSDCA4=; b=axMEufMVfMOFUPSzDbB+7DkaSjLMi/NpJEetF40eqwcyX9WtPbHi274IfxagBjKMjN zdTR3HuIWWG8YAdyCCoO4LyDnQwE0r03whY6vvpG9CZVOZHGJFVdvMGtpgxnoxfYfq6r V57QgC+vCR7VTCzatYQ4NqWL8BB6+cr9T6YzUZjN0YROng7MwTDtKHMkeY7zpkghdHJs iuXHf2GpGJcWgfVHuOklQ2Mp335SCY8qmuDGWd59vSW4CARuH9Nwc2/emiVeeRKMk2QF ykypaN/yxKBZ/RxmVd91QjsV58cSuBp7Cj6cE4lI6L4COmK2/DPy/buvc7yfMggQBPld Kgtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g/DY+OKWTsrv1NoEpSDvo3NhS3o2ve347PTYrzSDCA4=; b=QqL12/ssu8EkFGahXqzf87J2fTg3ikFJk5qRVfBp3uhM4rzwZgCNtnsAlLRlRP9YXE GF2kRG4GfYGTztvUIltPZf/0mOKUI33dr+x5YASMCy4wdR6tT1xrhDbOhJg5auN3iGQB 5wiKf5yTMMkZZP2cGnxfUKE/sUsbxER7+uSo9jvCuiSlz8dMpJ7XZsi2j7eEQDeFpJ3U fRDe5c39nZcmqwK7TEXJ2FAXzFmo+UOeeOEAd8AdQlL29abmVRiqh06bw8eYHwYo8zcv y1WGH+6Pa+Bo/HRcNMy30EodJd1MfpXBTuKQpoQtOLuVrLDoZbBTHF7higR/NtzNRDil c0Nw== X-Gm-Message-State: AOAM533aKxV8kZ7RWxAaTvJnvSASrgZg2OKblorWrIHsV1Tm2muwP7jM QI62uor43ks/iThXhKAwUWjoQhq77UUDRryqa3MC X-Received: by 2002:a17:906:659:: with SMTP id t25mr34672931ejb.372.1629714805449; Mon, 23 Aug 2021 03:33:25 -0700 (PDT) MIME-Version: 1.0 References: <20210809101609.148-1-xieyongji@bytedance.com> <06af4897-7339-fca7-bdd9-e0f9c2c6195b@nvidia.com> <6d6154d7-7947-68be-4e1e-4c1d0a94b2bc@nvidia.com> In-Reply-To: <6d6154d7-7947-68be-4e1e-4c1d0a94b2bc@nvidia.com> From: Yongji Xie Date: Mon, 23 Aug 2021 18:33:14 +0800 Message-ID: Subject: Re: [PATCH v5] virtio-blk: Add validation for block size in config space To: Max Gurtovoy Cc: "Michael S. Tsirkin" , Jason Wang , Stefan Hajnoczi , virtualization , linux-block@vger.kernel.org, linux-kernel Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 23, 2021 at 5:38 PM Max Gurtovoy wrote: > > > On 8/23/2021 12:27 PM, Yongji Xie wrote: > > On Mon, Aug 23, 2021 at 5:04 PM Max Gurtovoy wrote: > >> > >> On 8/23/2021 11:35 AM, Yongji Xie wrote: > >>> On Mon, Aug 23, 2021 at 4:07 PM Max Gurtovoy wrote: > >>>> On 8/23/2021 7:31 AM, Yongji Xie wrote: > >>>>> On Mon, Aug 23, 2021 at 7:17 AM Max Gurtovoy wrote: > >>>>>> On 8/9/2021 1:16 PM, Xie Yongji wrote: > >>>>>>> An untrusted device might presents an invalid block size > >>>>>>> in configuration space. This tries to add validation for it > >>>>>>> in the validate callback and clear the VIRTIO_BLK_F_BLK_SIZE > >>>>>>> feature bit if the value is out of the supported range. > >>>>>> This is not clear to me. What is untrusted device ? is it a buggy device ? > >>>>>> > >>>>> A buggy device, the devices in an encrypted VM, or a userspace device > >>>>> created by VDUSE [1]. > >>>>> > >>>>> [1] https://lore.kernel.org/kvm/20210818120642.165-1-xieyongji@bytedance.com/ > >>>> if it's a userspace device, why don't you fix its control path code > >>>> instead of adding workarounds in the kernel driver ? > >>>> > >>> VDUSE kernel module would not touch (be aware of) the device specific > >>> configuration space. It should be more reasonable to fix it in the > >>> device driver. There is also some existing interface (.validate()) for > >>> doing that. > >> who is emulating the device configuration space ? > >> > > A userspace daemon will initialize the device configuration space and > > pass the contents to the VDUSE kernel module. The VDUSE kernel module > > will handle the access of the config space from the virtio device > > driver, but it doesn't need to know the contents (although we can know > > that). > > So you add a workaround in the guest kernel drivers instead of checking > these quirks in the hypervisor ? > I didn't see any problem adding this validation in the device driver. > VDUSE kernel should enforce the security for the devices it > emulates/presents to the VM. > I agree that the VDUSE kernel should enforce the security for the emulated devices. But I still think the virtio device driver should handle this case since nobody can make sure the device can always set the correct value. Adding this validation would be helpful. > >>> And regardless of userspace device, we still need to fix it for other cases. > >> which cases ? Do you know that there is a buggy HW we need to workaround ? > >> > > No, there isn't now. But this could be a potential attack surface if > > the host doesn't trust the device. > > If the host doesn't trust a device, why it continues using it ? > IIUC this is the case for the encrypted VMs. > Do you suggest we do these workarounds in all device drivers in the kernel ? > Isn't it the driver's job to validate some unreasonable configuration? Thanks, Yongji