Michael S. Tsirkin
2023-Jan-20 12:56 UTC
[PATCH v1 6/6] virtio_ring: Prevent bounds check bypass on descriptor index
On Thu, Jan 19, 2023 at 03:57:21PM +0200, Alexander Shishkin wrote:> The descriptor index in virtqueue_get_buf_ctx_split() comes from the > device/VMM.a Use array_index_nospec() to prevent the CPU from speculating > beyond the descriptor array bounds and providing a primitive for building > a side channel. > > Signed-off-by: Alexander Shishkin <alexander.shishkin at linux.intel.com> > --- > drivers/virtio/virtio_ring.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c > index 2e7689bb933b..c42d070ab68d 100644 > --- a/drivers/virtio/virtio_ring.c > +++ b/drivers/virtio/virtio_ring.c > @@ -9,6 +9,7 @@ > #include <linux/device.h> > #include <linux/slab.h> > #include <linux/module.h> > +#include <linux/nospec.h> > #include <linux/hrtimer.h> > #include <linux/dma-mapping.h> > #include <linux/kmsan.h> > @@ -819,6 +820,8 @@ static void *virtqueue_get_buf_ctx_split(struct virtqueue *_vq, > BAD_RING(vq, "id %u out of range\n", i); > return NULL; > } > + > + i = array_index_nospec(i, vq->split.vring.num);I suspect plain i &= split.vring.num - 1 is more efficient. We know num is a power of two but compiler doesn't. And pls add a comment explaining what's going on.> if (unlikely(!vq->split.desc_state[i].data)) { > BAD_RING(vq, "id %u is not a head!\n", i); > return NULL; > -- > 2.39.0