From patchwork Fri Jun 4 05:53:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Wang X-Patchwork-Id: 12298729 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1FD3FC47083 for ; Fri, 4 Jun 2021 05:54:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0A73561418 for ; Fri, 4 Jun 2021 05:54:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230143AbhFDF4X (ORCPT ); Fri, 4 Jun 2021 01:56:23 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:36072 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230131AbhFDF4X (ORCPT ); Fri, 4 Jun 2021 01:56:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1622786077; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AbiiXanJPfz96ay/qiIqUUYDY4TZVIjkqLicSiV3UY4=; b=aGLxt5W4rvRy+cv2tO58dKO9cpBjVI4TWiX4kPcnq6a0mxLYyTaw87w/C8t25SYZRtMvCh Tz5JGSfHdAwysQRZjpo/dl9+/F2P/26PXCFid7HcisUzZ8paMEPSfiAdF9MAYovsgu6B9m RO3sdAUrFYAWPAKKY9bmp/4GOnhzFfc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-560-SSTCJvdKOpOGv4dcPNFQtg-1; Fri, 04 Jun 2021 01:54:36 -0400 X-MC-Unique: SSTCJvdKOpOGv4dcPNFQtg-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E073C180FD70; Fri, 4 Jun 2021 05:54:34 +0000 (UTC) Received: from localhost.localdomain (ovpn-12-212.pek2.redhat.com [10.72.12.212]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5E9FA5D9CC; Fri, 4 Jun 2021 05:54:28 +0000 (UTC) From: Jason Wang To: mst@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, xieyongji@bytedance.com, stefanha@redhat.com, file@sect.tu-berlin.de, ashish.kalra@amd.com, konrad.wilk@oracle.com, kvm@vger.kernel.org, hch@infradead.org, ak@linux.intel.com, luto@kernel.org, Jason Wang Subject: [PATCH 4/7] virtio_ring: secure handling of mapping errors Date: Fri, 4 Jun 2021 13:53:47 +0800 Message-Id: <20210604055350.58753-5-jasowang@redhat.com> In-Reply-To: <20210604055350.58753-1-jasowang@redhat.com> References: <20210604055350.58753-1-jasowang@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org We should not depend on the DMA address, length and flag of descriptor table since they could be wrote with arbitrary value by the device. So this patch switches to use the stored one in desc_extra. Note that the indirect descriptors are fine since they are read-only streaming mappings. Signed-off-by: Jason Wang --- drivers/virtio/virtio_ring.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c index 0cdd965dba58..5509c2643fb1 100644 --- a/drivers/virtio/virtio_ring.c +++ b/drivers/virtio/virtio_ring.c @@ -1213,13 +1213,16 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, unmap_release: err_idx = i; i = head; + curr = vq->free_head; vq->packed.avail_used_flags = avail_used_flags; for (n = 0; n < total_sg; n++) { if (i == err_idx) break; - vring_unmap_desc_packed(vq, &desc[i]); + vring_unmap_state_packed(vq, + &vq->packed.desc_extra[curr]); + curr = vq->packed.desc_extra[curr].next; i++; if (i >= vq->packed.vring.num) i = 0;