Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp2083523rwb; Thu, 19 Jan 2023 20:47:33 -0800 (PST) X-Google-Smtp-Source: AMrXdXuY/PFnvUlPWvmcOIKBsuhJna7sWHHS8vZFCExJJDJAqROINO7ArdK/yiUVxaWoDGm2mv+x X-Received: by 2002:a05:6402:5110:b0:499:bec8:4f with SMTP id m16-20020a056402511000b00499bec8004fmr17638166edd.20.1674190053709; Thu, 19 Jan 2023 20:47:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674190053; cv=none; d=google.com; s=arc-20160816; b=ysY6XIbsNpXC6tBoBe2ApO/Jo0qyLfgJpf7dY1TbPPecrtLRJbZonfuPR0P/C3c3DB avuon6ajZUn4ABdw2hQa62JzOcEu3reMsOlxT+Lji2K8VMkwdG/ZHfkwWKQiX9IhT9bg t79dnnOHYBIK5yQF/lvz6lcs5fbrf8uR9kBptjDVF6hCDLn9dYHDD3e4bSvnwxH3duzI PtP9roxa0aDNnhT6Bm2hnjKt7K6uGMKc1TKNXs3UdxSWkslObehE5Q9JGRJf9Xi8efah xoBE21dPe2haJLBxBMoThaSHmcOH/N79+CpyPKPNZitStfQTfNXm6cTfXMLNnXn9dIdo J52Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=RnqjcVnvz4RjFpJJmYtHRYk8X2HBXSi1U/qjV5hqbTo=; b=MJVowRoCD0jM3Zhj2fbrD4Xr4GG5XrtjyWjR4lah2pZW5qlfi63pLmm0T/59IynFwC NqB9A7G3g6Z73kLQhjuGeEbAxE48nU9znbS53Nf8tkf8MggK8xbQxNxXJYELqXhCSaAj ehfMoIMDxOEybQazEIItAo6SZXc3Vo9995HGBRzg+J9/ngAo2KMpJ0hrtnoQ3i3Hgzsl AC+b0kZVfZmc8oWoXkp6bbmPwmCqYk28pHPV0KIQF1OXw/wJ7sOnVCrLGlR7+n0XM8F3 Gwmqx8tUR1FdkM+cCfCtijqKpTR6puVw9mh53+qg8d0YPtQp9I/uMNssO9mTcGxZReKL VZIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="a/IFoQ0D"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v17-20020a056402349100b0049e1b840be0si18910076edc.9.2023.01.19.20.47.22; Thu, 19 Jan 2023 20:47:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="a/IFoQ0D"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230215AbjATEgf (ORCPT + 47 others); Thu, 19 Jan 2023 23:36:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44752 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229991AbjATEgD (ORCPT ); Thu, 19 Jan 2023 23:36:03 -0500 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73E54C13E1 for ; Thu, 19 Jan 2023 20:33:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674189238; x=1705725238; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=s0MLNXyh3mQKki8IqbR9mf6okk8J+XoJLrOwzthuHvM=; b=a/IFoQ0DKbYNsYnpzHz8EzqWL3CwX22sWNu89nIbaDyoiBCUJhU9uQbq tunBQNifxpRXmAUqxKo65dkYJzI6NVFo/I3A6bbOKzTk5Q7nD5J64o4PE DnIXJT16B5KkEfs4KlSCXhEc2wqvwuKQBT3kBR6G5qn6OMueQUbtToEi4 M47c5UHViIbpIoUZ4/BKDf0+rhb1DT0KWdq5W2+L3gX1zODwd+70Czo7Y 6FhJ6tOmDxUVJXfWs9rNn+ipdQbD4+sGSKSFWPNBdneBamtw0eVhS4Ott j8v3DCvyWCc5dAJEmlCVLAAPExfjOPob2rzMAjmyZWPSMJU6V6ISN96Qi w==; X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="411526113" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="411526113" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 05:57:09 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993915" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993915" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:06 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Andi Kleen , Alexander Shishkin , Amit Shah , Arnd Bergmann , Greg Kroah-Hartman Subject: [PATCH v1 2/6] virtio console: Harden port adding Date: Thu, 19 Jan 2023 15:57:17 +0200 Message-Id: <20230119135721.83345-3-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Andi Kleen The ADD_PORT operation reads and sanity checks the port id multiple times from the untrusted host. This is not safe because a malicious host could change it between reads. Read the port id only once and cache it for subsequent uses. Signed-off-by: Andi Kleen Signed-off-by: Alexander Shishkin Cc: Amit Shah Cc: Arnd Bergmann Cc: Greg Kroah-Hartman --- drivers/char/virtio_console.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c index f4fd5fe7cd3a..6599c2956ba4 100644 --- a/drivers/char/virtio_console.c +++ b/drivers/char/virtio_console.c @@ -1563,10 +1563,13 @@ static void handle_control_message(struct virtio_device *vdev, struct port *port; size_t name_size; int err; + unsigned id; cpkt = (struct virtio_console_control *)(buf->buf + buf->offset); - port = find_port_by_id(portdev, virtio32_to_cpu(vdev, cpkt->id)); + /* Make sure the host cannot change id under us */ + id = virtio32_to_cpu(vdev, READ_ONCE(cpkt->id)); + port = find_port_by_id(portdev, id); if (!port && cpkt->event != cpu_to_virtio16(vdev, VIRTIO_CONSOLE_PORT_ADD)) { /* No valid header at start of buffer. Drop it. */ @@ -1583,15 +1586,14 @@ static void handle_control_message(struct virtio_device *vdev, send_control_msg(port, VIRTIO_CONSOLE_PORT_READY, 1); break; } - if (virtio32_to_cpu(vdev, cpkt->id) >= - portdev->max_nr_ports) { + if (id >= portdev->max_nr_ports) { dev_warn(&portdev->vdev->dev, "Request for adding port with " "out-of-bound id %u, max. supported id: %u\n", cpkt->id, portdev->max_nr_ports - 1); break; } - add_port(portdev, virtio32_to_cpu(vdev, cpkt->id)); + add_port(portdev, id); break; case VIRTIO_CONSOLE_PORT_REMOVE: unplug_port(port); -- 2.39.0