Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp2084112rwb;
        Thu, 19 Jan 2023 20:48:14 -0800 (PST)
X-Google-Smtp-Source: AMrXdXuzLMheTiPxs9qOl7PROk1DRANeZnEvtoSPz40IZSsmmBzFYsXQt6DoY6+CyiIbw5WWFDvH
X-Received: by 2002:a17:906:7f0d:b0:844:c651:ce4b with SMTP id d13-20020a1709067f0d00b00844c651ce4bmr14013737ejr.33.1674190093976;
        Thu, 19 Jan 2023 20:48:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1674190093; cv=none;
        d=google.com; s=arc-20160816;
        b=lZdhAn+78AV82IC1iO+BjaMkMIMBl56JcOpcVDFr8ahPXOM+I85+MxrT+t2v8x30JR
         fc7+lPR4GEEXY9OwzgsZAuS05Mz/i4g79knTWo0P0T8ylxWXMgbCpn0ygJ6vYpk5/e/a
         85NWSCWmA2U/yxqt7zFaz8Jcr8pMrq4wfgntyT5RDrDJFNJE9ftf430HM1jbSG3LdDmC
         vbloA4LgocfsxuLD4UO6rIdfs5WAkz0q0NrWcV+E1k0CL9qv9EStU83tyhI9gvQsPsTw
         eTnKCKHLV/h8oVD/E+qfsgJIwKCMKow96uvC6o6gbVE5a9gq9bWVqIdfvbnkmpGf/wxb
         kT4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=kiNW0wxavS3S2BFD12ZEflfwOV5nhfRrYLYhnBRD1Bw=;
        b=GyOZaiYvcZpA1q5LyVpVCRoavBGPDwEvXuT35tVLlOF0Dur6WZEBhtvPmEpzDWr0Qa
         yAPiG+5hAYq3xrYm0/bijE6hkLrBEIiSkprjNb+JUgGPXzByf3ny7hvfdIkAxVDhOxpv
         l9581kM4gQDQadX7sEYQjYNLd1wcbUfKMmv/abAiRkEipGDXCNKcAoSuIB6OB6Ztv2Un
         cEKVVNrj4SAY+MTWNrMADjyM1x8Ors45yj0QK62iiuYMGYVwW+94h95YsZQuYn8YdZ61
         nEYuTMWkxSxi/dnoxgmVSR2wzJ9Nqs0o0ZbhL+3qETdOUzT6gK7OygBHOimCsVcc7df1
         0Xow==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@intel.com header.s=Intel header.b=AInLfCzz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id m12-20020a056402510c00b0049dfd28dc0fsi23412164edd.347.2023.01.19.20.48.02;
        Thu, 19 Jan 2023 20:48:13 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@intel.com header.s=Intel header.b=AInLfCzz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229988AbjATEib (ORCPT <rfc822;abhi.c.pawar@gmail.com>
        + 47 others); Thu, 19 Jan 2023 23:38:31 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52742 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230299AbjATEiI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 19 Jan 2023 23:38:08 -0500
Received: from mga05.intel.com (mga05.intel.com [192.55.52.43])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 54724BFF41
        for <linux-kernel@vger.kernel.org>; Thu, 19 Jan 2023 20:34:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1674189294; x=1705725294;
  h=resent-from:resent-date:resent-message-id:resent-to:from:
   to:cc:subject:date:message-id:in-reply-to:references:
   mime-version:content-transfer-encoding;
  bh=vkH/geR8Ac3bg/SlAe70kTG4lkCo5fDV5PnPvmhuzPY=;
  b=AInLfCzzNZ4phgr43V6vCrwAz8MfY09TRPMFjIT04TMbp990w3NDUSat
   H8ejasmeJaCGpZEjOzUeGOAGQB5TOPSrTE4ECNSgpF1N/CYFmAm4wK4Wz
   10O4x0n2OkCuIpmxfHT3Nzttt+ipyFjadrRXVcYj9OC5iIrc3d0oTR2TV
   O5oj9Wc5J/DpbrhuxqCl+miyxmPvBn7Wyk7U7YZqjmvWOXHYAXsEYTGQg
   3m09FaYAe3TbmvT3pcttRukX8DGuCdY0YUwP6ZRHyZgI4th7KD1+nzSnz
   862uLftEihDnWEgzd6iOcuw6a05JzDCiO6w5GkSL4yIR99SzXUb+LPDyb
   Q==;
X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="411604610"
X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; 
   d="scan'208";a="411604610"
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
  by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 10:15:04 -0800
X-ExtLoopCount2: 2 from 10.237.72.184
X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="768337809"
X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; 
   d="scan'208";a="768337809"
Received: from ubik.fi.intel.com (HELO ubik) ([10.237.72.184])
  by fmsmga002.fm.intel.com with ESMTP; 19 Jan 2023 10:15:03 -0800
Received: from ash by ubik with local (Exim 4.96)
        (envelope-from <alexander.shishkin@intel.com>)
        id 1pIZQy-00EPJw-1w
        for linux-kernel@vger.kernel.org;
        Thu, 19 Jan 2023 20:14:44 +0200
X-Original-To: alexander.shishkin@linux.intel.com
Received: from linux.intel.com [10.54.29.200]
        by ubik.fi.intel.com with IMAP (fetchmail-6.4.29)
        for <ash@localhost> (single-drop); Thu, 19 Jan 2023 15:59:06 +0200 (EET)
Received: from fmsmga005.fm.intel.com (fmsmga005.fm.intel.com [10.253.24.32])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by linux.intel.com (Postfix) with ESMTPS id 75439580AA4;
        Thu, 19 Jan 2023 05:57:15 -0800 (PST)
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993960"
X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; 
   d="scan'208";a="988993960"
Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28])
  by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:12 -0800
From:   Alexander Shishkin <alexander.shishkin@linux.intel.com>
To:     mst@redhat.com, jasowang@redhat.com
Cc:     virtualization@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org, elena.reshetova@intel.com,
        kirill.shutemov@linux.intel.com,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>,
        Amit Shah <amit@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH v1 4/6] virtio console: Harden control message handling
Date:   Thu, 19 Jan 2023 15:57:19 +0200
Message-Id: <20230119135721.83345-5-alexander.shishkin@linux.intel.com>
X-Mailer: git-send-email 2.39.0
In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com>
References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In handle_control_message(), we look at the ->event field twice, which
gives a malicious VMM a window in which to switch it from PORT_ADD to
PORT_REMOVE, triggering a null dereference further down the line:

RIP: 0010:spin_lock_irq ./include/linux/spinlock.h:388
RIP: 0010:unplug_port+0x9/0x150 drivers/char/virtio_console.c:1512
Call Trace:
 handle_control_message+0x108/0x2c0 drivers/char/virtio_console.c:1600
 elfcorehdr_read+0x40/0x40 ??:?
 process_one_work+0x1b4/0x310 kernel/workqueue.c:2297
 worker_thread+0x5c/0x3a0 kernel/workqueue.c:2444
 kthread+0x120/0x140 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Read the event code once instead, basing all following decisions on the
same value.

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Amit Shah <amit@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/virtio_console.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 6599c2956ba4..62f69f949cb7 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1563,22 +1563,22 @@ static void handle_control_message(struct virtio_device *vdev,
 	struct port *port;
 	size_t name_size;
 	int err;
-	unsigned id;
+	unsigned id, event;
 
 	cpkt = (struct virtio_console_control *)(buf->buf + buf->offset);
 
-	/* Make sure the host cannot change id under us */
+	/* Make sure the host cannot change id or event under us */
 	id = virtio32_to_cpu(vdev, READ_ONCE(cpkt->id));
+	event = virtio16_to_cpu(vdev, cpkt->event);
 	port = find_port_by_id(portdev, id);
-	if (!port &&
-	    cpkt->event != cpu_to_virtio16(vdev, VIRTIO_CONSOLE_PORT_ADD)) {
+	if (!port && event != VIRTIO_CONSOLE_PORT_ADD) {
 		/* No valid header at start of buffer.  Drop it. */
 		dev_dbg(&portdev->vdev->dev,
 			"Invalid index %u in control packet\n", cpkt->id);
 		return;
 	}
 
-	switch (virtio16_to_cpu(vdev, cpkt->event)) {
+	switch (event) {
 	case VIRTIO_CONSOLE_PORT_ADD:
 		if (port) {
 			dev_dbg(&portdev->vdev->dev,
-- 
2.39.0