Michael S. Tsirkin
2019-Sep-11 12:10 UTC
[PATCH v2] vhost: block speculation of translated descriptors
iovec addresses coming from vhost are assumed to be pre-validated, but in fact can be speculated to a value out of range. Userspace address are later validated with array_index_nospec so we can be sure kernel info does not leak through these addresses, but vhost must also not leak userspace info outside the allowed memory table to guests. Following the defence in depth principle, make sure the address is not validated out of node range. Signed-off-by: Michael S. Tsirkin <mst at redhat.com> Acked-by: Jason Wang <jasowang at redhat.com> Tested-by: Jason Wang <jasowang at redhat.com> --- changes from v1: fix build on 32 bit drivers/vhost/vhost.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5dc174ac8cac..34ea219936e3 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, _iov = iov + ret; size = node->size - addr + node->start; _iov->iov_len = min((u64)len - s, size); - _iov->iov_base = (void __user *)(unsigned long) - (node->userspace_addr + addr - node->start); + _iov->iov_base = (void __user *) + ((unsigned long)node->userspace_addr + + array_index_nospec((unsigned long)(addr - node->start), + node->size)); s += size; addr += size; ++ret; -- MST
Michal Hocko
2019-Sep-11 12:16 UTC
[PATCH v2] vhost: block speculation of translated descriptors
On Wed 11-09-19 08:10:00, Michael S. Tsirkin wrote:> iovec addresses coming from vhost are assumed to be > pre-validated, but in fact can be speculated to a value > out of range. > > Userspace address are later validated with array_index_nospec so we can > be sure kernel info does not leak through these addresses, but vhost > must also not leak userspace info outside the allowed memory table to > guests. > > Following the defence in depth principle, make sure > the address is not validated out of node range. > > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > Acked-by: Jason Wang <jasowang at redhat.com> > Tested-by: Jason Wang <jasowang at redhat.com>no need to mark fo stable? Other spectre fixes tend to be backported even when the security implications are not really clear. The risk should be low and better to be covered in case.> --- > > changes from v1: fix build on 32 bit > > drivers/vhost/vhost.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 5dc174ac8cac..34ea219936e3 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, > _iov = iov + ret; > size = node->size - addr + node->start; > _iov->iov_len = min((u64)len - s, size); > - _iov->iov_base = (void __user *)(unsigned long) > - (node->userspace_addr + addr - node->start); > + _iov->iov_base = (void __user *) > + ((unsigned long)node->userspace_addr + > + array_index_nospec((unsigned long)(addr - node->start), > + node->size)); > s += size; > addr += size; > ++ret; > -- > MST-- Michal Hocko SUSE Labs
Michael S. Tsirkin
2019-Sep-11 12:25 UTC
[PATCH v2] vhost: block speculation of translated descriptors
On Wed, Sep 11, 2019 at 02:16:28PM +0200, Michal Hocko wrote:> On Wed 11-09-19 08:10:00, Michael S. Tsirkin wrote: > > iovec addresses coming from vhost are assumed to be > > pre-validated, but in fact can be speculated to a value > > out of range. > > > > Userspace address are later validated with array_index_nospec so we can > > be sure kernel info does not leak through these addresses, but vhost > > must also not leak userspace info outside the allowed memory table to > > guests. > > > > Following the defence in depth principle, make sure > > the address is not validated out of node range. > > > > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > > Acked-by: Jason Wang <jasowang at redhat.com> > > Tested-by: Jason Wang <jasowang at redhat.com> > > no need to mark fo stable? Other spectre fixes tend to be backported > even when the security implications are not really clear. The risk > should be low and better to be covered in case.This is not really a fix - more a defence in depth thing, quite similar to e.g. commit b3bbfb3fb5d25776b8e3f361d2eedaabb0b496cd x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec in scope. That one doesn't seem to be tagged for stable. Was it queued there in practice?> > --- > > > > changes from v1: fix build on 32 bit > > > > drivers/vhost/vhost.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > > index 5dc174ac8cac..34ea219936e3 100644 > > --- a/drivers/vhost/vhost.c > > +++ b/drivers/vhost/vhost.c > > @@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, > > _iov = iov + ret; > > size = node->size - addr + node->start; > > _iov->iov_len = min((u64)len - s, size); > > - _iov->iov_base = (void __user *)(unsigned long) > > - (node->userspace_addr + addr - node->start); > > + _iov->iov_base = (void __user *) > > + ((unsigned long)node->userspace_addr + > > + array_index_nospec((unsigned long)(addr - node->start), > > + node->size)); > > s += size; > > addr += size; > > ++ret; > > -- > > MST > > -- > Michal Hocko > SUSE Labs
Michael S. Tsirkin
2019-Sep-11 13:52 UTC
[PATCH v2] vhost: block speculation of translated descriptors
On Wed, Sep 11, 2019 at 08:10:00AM -0400, Michael S. Tsirkin wrote:> iovec addresses coming from vhost are assumed to be > pre-validated, but in fact can be speculated to a value > out of range. > > Userspace address are later validated with array_index_nospec so we can > be sure kernel info does not leak through these addresses, but vhost > must also not leak userspace info outside the allowed memory table to > guests. > > Following the defence in depth principle, make sure > the address is not validated out of node range. > > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > Acked-by: Jason Wang <jasowang at redhat.com> > Tested-by: Jason Wang <jasowang at redhat.com> > ---Cc: security at kernel.org Pls advise on whether you'd like me to merge this directly, Cc stable, or handle it in some other way.> changes from v1: fix build on 32 bit > > drivers/vhost/vhost.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 5dc174ac8cac..34ea219936e3 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, > _iov = iov + ret; > size = node->size - addr + node->start; > _iov->iov_len = min((u64)len - s, size); > - _iov->iov_base = (void __user *)(unsigned long) > - (node->userspace_addr + addr - node->start); > + _iov->iov_base = (void __user *) > + ((unsigned long)node->userspace_addr + > + array_index_nospec((unsigned long)(addr - node->start), > + node->size)); > s += size; > addr += size; > ++ret; > -- > MST
Will Deacon
2019-Sep-11 16:25 UTC
[PATCH v2] vhost: block speculation of translated descriptors
On Wed, Sep 11, 2019 at 09:52:25AM -0400, Michael S. Tsirkin wrote:> On Wed, Sep 11, 2019 at 08:10:00AM -0400, Michael S. Tsirkin wrote: > > iovec addresses coming from vhost are assumed to be > > pre-validated, but in fact can be speculated to a value > > out of range. > > > > Userspace address are later validated with array_index_nospec so we can > > be sure kernel info does not leak through these addresses, but vhost > > must also not leak userspace info outside the allowed memory table to > > guests. > > > > Following the defence in depth principle, make sure > > the address is not validated out of node range. > > > > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > > Acked-by: Jason Wang <jasowang at redhat.com> > > Tested-by: Jason Wang <jasowang at redhat.com> > > --- > > Cc: security at kernel.org > > Pls advise on whether you'd like me to merge this directly, > Cc stable, or handle it in some other way.I think you're fine taking it directly, with a cc stable and a Fixes: tag. Cheers, Will
Apparently Analagous Threads
- [PATCH v2] vhost: block speculation of translated descriptors
- [RFC PATCH untested] vhost: block speculation of translated descriptors
- [RFC PATCH untested] vhost: block speculation of translated descriptors
- [RFC PATCH untested] vhost: block speculation of translated descriptors
- [RFC PATCH untested] vhost: block speculation of translated descriptors