Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp2141823rwb; Thu, 19 Jan 2023 21:54:09 -0800 (PST) X-Google-Smtp-Source: AMrXdXvS00Hd1j5Rm223FpNkXEO99AX1w8RjOnN7ZPLNu9vbIGsF8k4SXtzwcmDUxYSVW0E6BJAA X-Received: by 2002:a05:6a00:1c84:b0:581:4260:a650 with SMTP id y4-20020a056a001c8400b005814260a650mr13194201pfw.33.1674194049457; Thu, 19 Jan 2023 21:54:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674194049; cv=none; d=google.com; s=arc-20160816; b=eM03pGMyJgD7U8SgKkMHXMOTklCY+Ol2pmYXfXUdaUZoVAHqOolJb490QCtWsP3dkg H4bgr3Kq5sv5Br9HWIFfphtk/cu1EReWAt0Q2s8/h4AtXVVQDuVbly3bdVY6k9vOwHiJ rVOMbXjI8GasMMnOLSLgBqfhSqdbw4Z2w0tpFI5kSqf4004jUFsxqfFaj/PAdtPxxybI lc9/zLVyZqqeSbS3RRZq4MVFshIeA7WwopzFPBK1B/3j+Tvm7+pamwkkx0s8Xm5Vpi99 9ZlnuLxNHbpER4OgkgwMBvvyzP9UDOj9xEUM9a7MoglIG7q0PMEHKm4c/TPtql+Z4fF4 DC/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=E4l0A/cMBmA7tQ2AGQML1hUp+IVQqMBlFLrUx6ndVDg=; b=Zmq7PE0F20SF2ixN03nDrET3NVQ4PJElTb+Pso3tin9vlONgCDw5FyjDDmVUp5+e6k Y3EUVs1MOqlh9S8P6oxBpSk613D6CdVJx7I1UXDMdHyowXusUnvaHl1O3pTxe7SUstlj zNtrWU6AExVPAtg5ZU+UwYKnBfJZsfulxuD0b/lqdo5yHzsvvK1En5XYVViIHAB+JNLc bSQT3Tdyhl4A6rCFvqS5uRVacX95pa1t53fnpkpM9U+JLk7fLqHsdYEbKpWWQS3KCqwn RW3iKUgUeH8evy41T5Sh7XV7oJCz9dfyyktOdqB55YX5gKw1v2EURuusK26fV8/INn0x tqUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=i0Cwq+LO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 62-20020a620641000000b005828f708669si39636999pfg.141.2023.01.19.21.54.04; Thu, 19 Jan 2023 21:54:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=i0Cwq+LO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230263AbjATFeJ (ORCPT + 47 others); Fri, 20 Jan 2023 00:34:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40972 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231497AbjATFd4 (ORCPT ); Fri, 20 Jan 2023 00:33:56 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1FA867DFA3 for ; Thu, 19 Jan 2023 21:29:30 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 62DB8B82541 for ; Thu, 19 Jan 2023 15:22:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B8BA7C433D2; Thu, 19 Jan 2023 15:22:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1674141732; bh=fuaHiayN9/WGnI4UfXAsrYe5slppaGLjht5c//g5Dao=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=i0Cwq+LOB2ZsI2hwk9upoYclocTwEPiJXd2t4U7E034fADlivKkFPR3aksHSRAI6e HR6fo+kAN5RWQOyuXXw6habE8janoQhrKiCphNxJQQG17F0jnHFEWFTeduqOVaiIJu WG5pS1WVRiTFES4AG3EiCCT7XiT/+MveLG6dM5Ns= Date: Thu, 19 Jan 2023 16:22:09 +0100 From: Greg Kroah-Hartman To: Alexander Shishkin Cc: mst@redhat.com, jasowang@redhat.com, virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Amit Shah , Arnd Bergmann Subject: Re: [PATCH v1 4/6] virtio console: Harden control message handling Message-ID: References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> <20230119135721.83345-5-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230119135721.83345-5-alexander.shishkin@linux.intel.com> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 19, 2023 at 03:57:19PM +0200, Alexander Shishkin wrote: > In handle_control_message(), we look at the ->event field twice, which > gives a malicious VMM a window in which to switch it from PORT_ADD to > PORT_REMOVE, triggering a null dereference further down the line: How is the other VMM have full control over the full message here? Shouldn't this all have been copied into our local memory if we are going to be poking around in it? Like I mentioned in my other review, copy it all once and then parse it. Don't try to mess with individual fields one at a time otherwise that way lies madness... thanks, greg k-h