search for: vhost_msg

We use to have message like: struct vhost_msg { int type; union { struct vhost_iotlb_msg iotlb; __u8 padding[64]; }; }; Unfortunately, there will be a hole of 32bit in 64bit machine because of the alignment. This leads a different formats between 32bit API and 64bit API. What's more it will break 32bit program running on 64bit mach...

We use to have message like: struct vhost_msg { int type; union { struct vhost_iotlb_msg iotlb; __u8 padding[64]; }; }; Unfortunately, there will be a hole of 32bit in 64bit machine because of the alignment. This leads a different formats between 32bit API and 64bit API. What's more it will break 32bit program running on 64bit mach...

We use to have message like: struct vhost_msg { int type; union { struct vhost_iotlb_msg iotlb; __u8 padding[64]; }; }; Unfortunately, there will be a hole of 32bit in 64bit machine because of the alignment. This leads a different formats between 32bit API and 64bit API. What's more it will break 32bit program running on 64bit mach...

On Fri, Aug 03, 2018 at 03:04:51PM +0800, Jason Wang wrote: > We use to have message like: > > struct vhost_msg { > int type; > union { > struct vhost_iotlb_msg iotlb; > __u8 padding[64]; > }; > }; > > Unfortunately, there will be a hole of 32bit in 64bit machine because > of the alignment. This leads a different formats between 32bit API and > 64bit API. What's more...

On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > so it should be allocated with kzalloc() to ensure all structure padding > is zeroed. > > Signed-off-by: Kevin Easton <kevin at guarana.org> > Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com Is this...

On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > so it should be allocated with kzalloc() to ensure all structure padding > is zeroed. > > Signed-off-by: Kevin Easton <kevin at guarana.org> > Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com Is this...

...ff-by: Michael S. Tsirkin <mst at redhat.com> > > --- > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > > index f0be5f35ab28..9beefa6ed1ce 100644 > > --- a/drivers/vhost/vhost.c > > +++ b/drivers/vhost/vhost.c > > @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) > > struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); > > if (!node) > > return NULL; > > + > > + /* Make sure all padding within the structure is initialized. */ > > + memset(&no...

...ff-by: Michael S. Tsirkin <mst at redhat.com> > > --- > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > > index f0be5f35ab28..9beefa6ed1ce 100644 > > --- a/drivers/vhost/vhost.c > > +++ b/drivers/vhost/vhost.c > > @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) > > struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); > > if (!node) > > return NULL; > > + > > + /* Make sure all padding within the structure is initialized. */ > > + memset(&no...

...ESS_WO????? 0x2 #define VHOST_ACCESS_RW????? 0x3 ??? __u8 perm; #define VHOST_IOTLB_MISS?????????? 1 #define VHOST_IOTLB_UPDATE???????? 2 #define VHOST_IOTLB_INVALIDATE???? 3 #define VHOST_IOTLB_ACCESS_FAIL??? 4 ??? __u8 type; }; #define VHOST_IOTLB_MSG 0x1 #define VHOST_IOTLB_MSG_V2 0x2 struct vhost_msg { ??? int type; ??? union { ??? ??? struct vhost_iotlb_msg iotlb; ??? ??? __u8 padding[64]; ??? }; }; struct vhost_msg_v2 { ??? __u32 type; ??? __u32 reserved; ??? union { ??? ??? struct vhost_iotlb_msg iotlb; ??? ??? __u8 padding[64]; ??? }; };

...ESS_WO????? 0x2 #define VHOST_ACCESS_RW????? 0x3 ??? __u8 perm; #define VHOST_IOTLB_MISS?????????? 1 #define VHOST_IOTLB_UPDATE???????? 2 #define VHOST_IOTLB_INVALIDATE???? 3 #define VHOST_IOTLB_ACCESS_FAIL??? 4 ??? __u8 type; }; #define VHOST_IOTLB_MSG 0x1 #define VHOST_IOTLB_MSG_V2 0x2 struct vhost_msg { ??? int type; ??? union { ??? ??? struct vhost_iotlb_msg iotlb; ??? ??? __u8 padding[64]; ??? }; }; struct vhost_msg_v2 { ??? __u32 type; ??? __u32 reserved; ??? union { ??? ??? struct vhost_iotlb_msg iotlb; ??? ??? __u8 padding[64]; ??? }; };

On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > so it should be allocated with kzalloc() to ensure all structure padding > is zeroed. > > Signed-off-by: Kevin Easton <kevin at guarana.org> > Reported-by: syzbot+87cfa083e727a224754b at syzkaller.appspotmail.com > ---...

...Subject: vhost: fix info leak Fixes: CVE-2018-1118 Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index f0be5f35ab28..9beefa6ed1ce 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); if (!node) return NULL; + + /* Make sure all padding within the structure is initialized. */ + memset(&node->msg, 0, sizeof node->msg); node->vq = vq; n...

...Subject: vhost: fix info leak Fixes: CVE-2018-1118 Signed-off-by: Michael S. Tsirkin <mst at redhat.com> --- diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index f0be5f35ab28..9beefa6ed1ce 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); if (!node) return NULL; + + /* Make sure all padding within the structure is initialized. */ + memset(&node->msg, 0, sizeof node->msg); node->vq = vq; n...

...S?????????? 1 >> #define VHOST_IOTLB_UPDATE???????? 2 >> #define VHOST_IOTLB_INVALIDATE???? 3 >> #define VHOST_IOTLB_ACCESS_FAIL??? 4 >> ??? __u8 type; >> }; >> >> #define VHOST_IOTLB_MSG 0x1 >> #define VHOST_IOTLB_MSG_V2 0x2 >> >> struct vhost_msg { >> ??? int type; >> ??? union { >> ??? ??? struct vhost_iotlb_msg iotlb; >> ??? ??? __u8 padding[64]; >> ??? }; >> }; >> >> struct vhost_msg_v2 { >> ??? __u32 type; >> ??? __u32 reserved; >> ??? union { >> ??? ??? st...

...S?????????? 1 >> #define VHOST_IOTLB_UPDATE???????? 2 >> #define VHOST_IOTLB_INVALIDATE???? 3 >> #define VHOST_IOTLB_ACCESS_FAIL??? 4 >> ??? __u8 type; >> }; >> >> #define VHOST_IOTLB_MSG 0x1 >> #define VHOST_IOTLB_MSG_V2 0x2 >> >> struct vhost_msg { >> ??? int type; >> ??? union { >> ??? ??? struct vhost_iotlb_msg iotlb; >> ??? ??? __u8 padding[64]; >> ??? }; >> }; >> >> struct vhost_msg_v2 { >> ??? __u32 type; >> ??? __u32 reserved; >> ??? union { >> ??? ??? st...

...umem_interval_tree_remove(node, &umem->umem_tree); - list_del(&node->link); - kvfree(node); - } + list_for_each_entry_safe(node, tmp, &umem->umem_list, link) + vhost_umem_free(umem, node); + kvfree(umem); } +static void vhost_clear_msg(struct vhost_dev *dev) +{ + struct vhost_msg_node *node, *n; + + spin_lock(&dev->iotlb_lock); + + list_for_each_entry_safe(node, n, &dev->read_list, node) { + list_del(&node->node); + kfree(node); + } + + list_for_each_entry_safe(node, n, &dev->pending_list, node) { + list_del(&node->node); + kfree(node)...

...gt; #define VHOST_IOTLB_INVALIDATE???? 3 >>>> #define VHOST_IOTLB_ACCESS_FAIL??? 4 >>>> ??? __u8 type; >>>> }; >>>> >>>> #define VHOST_IOTLB_MSG 0x1 >>>> #define VHOST_IOTLB_MSG_V2 0x2 >>>> >>>> struct vhost_msg { >>>> ??? int type; >>>> ??? union { >>>> ??? ??? struct vhost_iotlb_msg iotlb; >>>> ??? ??? __u8 padding[64]; >>>> ??? }; >>>> }; >>>> >>>> struct vhost_msg_v2 { >>>> ??? __u32...

...hat.com> --- include/uapi/linux/vhost.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/uapi/linux/vhost.h b/include/uapi/linux/vhost.h index 5a8ad06..c51f8e5 100644 --- a/include/uapi/linux/vhost.h +++ b/include/uapi/linux/vhost.h @@ -68,7 +68,6 @@ struct vhost_iotlb_msg { struct vhost_msg { int type; - int padding0; union { struct vhost_iotlb_msg iotlb; __u8 padding[64]; -- MST

On Tue, May 29, 2018 at 03:19:08PM -0700, Guenter Roeck wrote: > On Fri, Apr 27, 2018 at 11:45:02AM -0400, Kevin Easton wrote: > > The struct vhost_msg within struct vhost_msg_node is copied to userspace, > > so it should be allocated with kzalloc() to ensure all structure padding > > is zeroed. > > > > Signed-off-by: Kevin Easton <kevin at guarana.org> > > Reported-by: syzbot+87cfa083e727a224754b at syzkaller....

...s: CVE-2018-1118 > Signed-off-by: Michael S. Tsirkin <mst at redhat.com> > --- > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index f0be5f35ab28..9beefa6ed1ce 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -2345,6 +2345,9 @@ struct vhost_msg_node *vhost_new_msg(struct vhost_virtqueue *vq, int type) > struct vhost_msg_node *node = kmalloc(sizeof *node, GFP_KERNEL); > if (!node) > return NULL; > + > + /* Make sure all padding within the structure is initialized. */ > + memset(&node->msg, 0, sizeof node-&gt...