Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2611702pxb; Tue, 24 Aug 2021 03:29:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzI4+6aqVpco2cAw66Soe+2vV+3PKB+dd7ZkobiHGENlvPVeRuFeYKqcpds0Pp1DBVB/fx+ X-Received: by 2002:a05:6e02:d0f:: with SMTP id g15mr6597026ilj.71.1629800952492; Tue, 24 Aug 2021 03:29:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629800952; cv=none; d=google.com; s=arc-20160816; b=Gcjj8t8slKGDuN2TbQuTX1Xx6coh0wRPsMCPcm0TfJY4JPL5hKIJ5PGwysy+VLDJ7Y Oc3KNKXxra3mmPWcEbCmViOKPVcq2MHyUHZork+SWMYCvj1Uus12Huye9JpTAb6mQk2N sUs01dy7SC2HnS9yxuFANw1axA0CmjOj34Gbyp0I9lGJ3zZNPJNnVmdZeR2SEeV/Qmgv +ebZzSrsKfjNM95Hud8tSiMvQ3YNSV3FhLxIcp9Z9de9TG4UzavggKE6Q1/dXPHVBfCL xSIy5kTVNSwH6zqQDCgKEjs06KjfTSTPJ13YW/aMeqmbO8PwGfg6eez25mKBNFIxSg8E qoyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=3sbNcmhBSTVo5KYZTHugr3AbCZgn9x7Of4fyWuiEohU=; b=w22WzBDz6vbb4RoQeMfKnoYpG+s75MnIjBj9DHSz8WeaFv0mviiF3vJVlHsCw3wT3d aDbGemEovNX+TqgheN80mlXg2vey2X7Rwf3sM2TPjc48vtvsGX5AndzwSKoOvkiQfyD9 5gq9ZcO6bNjTW9CdcE0zDrJh1JKtjEeDH3udV1qwKcsKRFvJofZR5zaE51IQ4OdlcCtw 8+Ecx+i8G+mMaxwinlSRvhFROar/bN8jpksp++xJrCUnusiSpT8rR0ktvU/n1u4N+3PD l3UOApDgskJzKS7cjnCLL8Zq5EOn4AGRn3wujZSpbZxtzmS6O2j51Ry9nPde7HlPxKos oM1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=n3qgFoWw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s1si17512890jat.65.2021.08.24.03.28.59; Tue, 24 Aug 2021 03:29:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=n3qgFoWw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236139AbhHXK26 (ORCPT + 99 others); Tue, 24 Aug 2021 06:28:58 -0400 Received: from smtp-out2.suse.de ([195.135.220.29]:44490 "EHLO smtp-out2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235905AbhHXK26 (ORCPT ); Tue, 24 Aug 2021 06:28:58 -0400 Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de [192.168.254.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 4E91D1FD84; Tue, 24 Aug 2021 10:28:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1629800893; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=3sbNcmhBSTVo5KYZTHugr3AbCZgn9x7Of4fyWuiEohU=; b=n3qgFoWwu0QTp3L1qNcVioaf+GMOKbbANz2taAoIgSXmKNVNwa1yG4bHW42VfW1etWEUhQ VRUcGVx5mWXQ33GYeeIfj+MEftA6855+98ln0kqZi6NPCJyX24axaQt7+P+CyQSby5QRld R0wf2tkrOhsK1c49Qpgw10FQ3Xc7nxs= Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de [192.168.254.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap1.suse-dmz.suse.de (Postfix) with ESMTPS id 0A1AB136DD; Tue, 24 Aug 2021 10:28:13 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap1.suse-dmz.suse.de with ESMTPSA id WT7oAL3JJGG8DwAAGKfGzw (envelope-from ); Tue, 24 Aug 2021 10:28:13 +0000 From: Juergen Gross To: xen-devel@lists.xenproject.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Juergen Gross , Boris Ostrovsky , Stefano Stabellini , "David S. Miller" , Jakub Kicinski Subject: [PATCH v2 0/4] xen: harden netfront against malicious backends Date: Tue, 24 Aug 2021 12:28:05 +0200 Message-Id: <20210824102809.26370-1-jgross@suse.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Xen backends of para-virtualized devices can live in dom0 kernel, dom0 user land, or in a driver domain. This means that a backend might reside in a less trusted environment than the Xen core components, so a backend should not be able to do harm to a Xen guest (it can still mess up I/O data, but it shouldn't be able to e.g. crash a guest by other means or cause a privilege escalation in the guest). Unfortunately netfront in the Linux kernel is fully trusting its backend. This series is fixing netfront in this regard. It was discussed to handle this as a security problem, but the topic was discussed in public before, so it isn't a real secret. It should be mentioned that a similar series has been posted some years ago by Marek Marczykowski-Górecki, but this series has not been applied due to a Xen header not having been available in the Xen git repo at that time. Additionally my series is fixing some more DoS cases. Changes in V2: - put netfront patches into own series - comments addressed - new patch 3 Juergen Gross (4): xen/netfront: read response from backend only once xen/netfront: don't read data from request on the ring page xen/netfront: disentangle tx_skb_freelist xen/netfront: don't trust the backend response data blindly drivers/net/xen-netfront.c | 272 +++++++++++++++++++++++-------------- 1 file changed, 169 insertions(+), 103 deletions(-) -- 2.26.2