| Message ID | 20190908110521.4031-1-mst@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [RFC,untested] vhost: block speculation of translated descriptors | expand |
On 2019/9/8 下午7:05, Michael S. Tsirkin wrote: > iovec addresses coming from vhost are assumed to be > pre-validated, but in fact can be speculated to a value > out of range. > > Userspace address are later validated with array_index_nospec so we can > be sure kernel info does not leak through these addresses, but vhost > must also not leak userspace info outside the allowed memory table to > guests. > > Following the defence in depth principle, make sure > the address is not validated out of node range. > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > --- > drivers/vhost/vhost.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > index 5dc174ac8cac..0ee375fb7145 100644 > --- a/drivers/vhost/vhost.c > +++ b/drivers/vhost/vhost.c > @@ -2072,7 +2072,9 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, > size = node->size - addr + node->start; > _iov->iov_len = min((u64)len - s, size); > _iov->iov_base = (void __user *)(unsigned long) > - (node->userspace_addr + addr - node->start); > + (node->userspace_addr + > + array_index_nospec(addr - node->start, > + node->size)); > s += size; > addr += size; > ++ret; I've tried this on Kaby Lake smap off metadata acceleration off using testpmd (virtio-user) + vhost_net. I don't see obvious performance difference with TX PPS. Thanks
On Mon, Sep 09, 2019 at 03:19:55PM +0800, Jason Wang wrote: > > On 2019/9/8 下午7:05, Michael S. Tsirkin wrote: > > iovec addresses coming from vhost are assumed to be > > pre-validated, but in fact can be speculated to a value > > out of range. > > > > Userspace address are later validated with array_index_nospec so we can > > be sure kernel info does not leak through these addresses, but vhost > > must also not leak userspace info outside the allowed memory table to > > guests. > > > > Following the defence in depth principle, make sure > > the address is not validated out of node range. > > > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > --- > > drivers/vhost/vhost.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > > index 5dc174ac8cac..0ee375fb7145 100644 > > --- a/drivers/vhost/vhost.c > > +++ b/drivers/vhost/vhost.c > > @@ -2072,7 +2072,9 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, > > size = node->size - addr + node->start; > > _iov->iov_len = min((u64)len - s, size); > > _iov->iov_base = (void __user *)(unsigned long) > > - (node->userspace_addr + addr - node->start); > > + (node->userspace_addr + > > + array_index_nospec(addr - node->start, > > + node->size)); > > s += size; > > addr += size; > > ++ret; > > > I've tried this on Kaby Lake smap off metadata acceleration off using > testpmd (virtio-user) + vhost_net. I don't see obvious performance > difference with TX PPS. > > Thanks Should I push this to Linus right now then? It's a security thing so maybe we better do it ASAP ... what's your opinion?
On 2019/9/9 下午10:45, Michael S. Tsirkin wrote: > On Mon, Sep 09, 2019 at 03:19:55PM +0800, Jason Wang wrote: >> On 2019/9/8 下午7:05, Michael S. Tsirkin wrote: >>> iovec addresses coming from vhost are assumed to be >>> pre-validated, but in fact can be speculated to a value >>> out of range. >>> >>> Userspace address are later validated with array_index_nospec so we can >>> be sure kernel info does not leak through these addresses, but vhost >>> must also not leak userspace info outside the allowed memory table to >>> guests. >>> >>> Following the defence in depth principle, make sure >>> the address is not validated out of node range. >>> >>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> >>> --- >>> drivers/vhost/vhost.c | 4 +++- >>> 1 file changed, 3 insertions(+), 1 deletion(-) >>> >>> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c >>> index 5dc174ac8cac..0ee375fb7145 100644 >>> --- a/drivers/vhost/vhost.c >>> +++ b/drivers/vhost/vhost.c >>> @@ -2072,7 +2072,9 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, >>> size = node->size - addr + node->start; >>> _iov->iov_len = min((u64)len - s, size); >>> _iov->iov_base = (void __user *)(unsigned long) >>> - (node->userspace_addr + addr - node->start); >>> + (node->userspace_addr + >>> + array_index_nospec(addr - node->start, >>> + node->size)); >>> s += size; >>> addr += size; >>> ++ret; >> >> I've tried this on Kaby Lake smap off metadata acceleration off using >> testpmd (virtio-user) + vhost_net. I don't see obvious performance >> difference with TX PPS. >> >> Thanks > Should I push this to Linus right now then? It's a security thing so > maybe we better do it ASAP ... what's your opinion? Yes, you can. Acked-by: Jason Wang <jasowang@redhat.com> >
On Tue, Sep 10, 2019 at 09:52:10AM +0800, Jason Wang wrote: > > On 2019/9/9 下午10:45, Michael S. Tsirkin wrote: > > On Mon, Sep 09, 2019 at 03:19:55PM +0800, Jason Wang wrote: > > > On 2019/9/8 下午7:05, Michael S. Tsirkin wrote: > > > > iovec addresses coming from vhost are assumed to be > > > > pre-validated, but in fact can be speculated to a value > > > > out of range. > > > > > > > > Userspace address are later validated with array_index_nospec so we can > > > > be sure kernel info does not leak through these addresses, but vhost > > > > must also not leak userspace info outside the allowed memory table to > > > > guests. > > > > > > > > Following the defence in depth principle, make sure > > > > the address is not validated out of node range. > > > > > > > > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > > > > --- > > > > drivers/vhost/vhost.c | 4 +++- > > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c > > > > index 5dc174ac8cac..0ee375fb7145 100644 > > > > --- a/drivers/vhost/vhost.c > > > > +++ b/drivers/vhost/vhost.c > > > > @@ -2072,7 +2072,9 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, > > > > size = node->size - addr + node->start; > > > > _iov->iov_len = min((u64)len - s, size); > > > > _iov->iov_base = (void __user *)(unsigned long) > > > > - (node->userspace_addr + addr - node->start); > > > > + (node->userspace_addr + > > > > + array_index_nospec(addr - node->start, > > > > + node->size)); > > > > s += size; > > > > addr += size; > > > > ++ret; > > > > > > I've tried this on Kaby Lake smap off metadata acceleration off using > > > testpmd (virtio-user) + vhost_net. I don't see obvious performance > > > difference with TX PPS. > > > > > > Thanks > > Should I push this to Linus right now then? It's a security thing so > > maybe we better do it ASAP ... what's your opinion? > > > Yes, you can. > > Acked-by: Jason Wang <jasowang@redhat.com> And should I include Tested-by: Jason Wang <jasowang@redhat.com> ? > > > >
On 2019/9/10 下午2:48, Michael S. Tsirkin wrote: > On Tue, Sep 10, 2019 at 09:52:10AM +0800, Jason Wang wrote: >> On 2019/9/9 下午10:45, Michael S. Tsirkin wrote: >>> On Mon, Sep 09, 2019 at 03:19:55PM +0800, Jason Wang wrote: >>>> On 2019/9/8 下午7:05, Michael S. Tsirkin wrote: >>>>> iovec addresses coming from vhost are assumed to be >>>>> pre-validated, but in fact can be speculated to a value >>>>> out of range. >>>>> >>>>> Userspace address are later validated with array_index_nospec so we can >>>>> be sure kernel info does not leak through these addresses, but vhost >>>>> must also not leak userspace info outside the allowed memory table to >>>>> guests. >>>>> >>>>> Following the defence in depth principle, make sure >>>>> the address is not validated out of node range. >>>>> >>>>> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> >>>>> --- >>>>> drivers/vhost/vhost.c | 4 +++- >>>>> 1 file changed, 3 insertions(+), 1 deletion(-) >>>>> >>>>> diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c >>>>> index 5dc174ac8cac..0ee375fb7145 100644 >>>>> --- a/drivers/vhost/vhost.c >>>>> +++ b/drivers/vhost/vhost.c >>>>> @@ -2072,7 +2072,9 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, >>>>> size = node->size - addr + node->start; >>>>> _iov->iov_len = min((u64)len - s, size); >>>>> _iov->iov_base = (void __user *)(unsigned long) >>>>> - (node->userspace_addr + addr - node->start); >>>>> + (node->userspace_addr + >>>>> + array_index_nospec(addr - node->start, >>>>> + node->size)); >>>>> s += size; >>>>> addr += size; >>>>> ++ret; >>>> I've tried this on Kaby Lake smap off metadata acceleration off using >>>> testpmd (virtio-user) + vhost_net. I don't see obvious performance >>>> difference with TX PPS. >>>> >>>> Thanks >>> Should I push this to Linus right now then? It's a security thing so >>> maybe we better do it ASAP ... what's your opinion? >> >> Yes, you can. >> >> Acked-by: Jason Wang <jasowang@redhat.com> > > And should I include > > Tested-by: Jason Wang <jasowang@redhat.com> > > ? Yes. Thanks > >>
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5dc174ac8cac..0ee375fb7145 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2072,7 +2072,9 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, size = node->size - addr + node->start; _iov->iov_len = min((u64)len - s, size); _iov->iov_base = (void __user *)(unsigned long) - (node->userspace_addr + addr - node->start); + (node->userspace_addr + + array_index_nospec(addr - node->start, + node->size)); s += size; addr += size; ++ret;
iovec addresses coming from vhost are assumed to be pre-validated, but in fact can be speculated to a value out of range. Userspace address are later validated with array_index_nospec so we can be sure kernel info does not leak through these addresses, but vhost must also not leak userspace info outside the allowed memory table to guests. Following the defence in depth principle, make sure the address is not validated out of node range. Signed-off-by: Michael S. Tsirkin <mst@redhat.com> --- drivers/vhost/vhost.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)