From patchwork Fri Jul 30 10:38:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?SsO8cmdlbiBHcm/Dnw==?= X-Patchwork-Id: 12411003 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4AFC7C4338F for ; Fri, 30 Jul 2021 10:39:12 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 173A260FE7 for ; Fri, 30 Jul 2021 10:39:12 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 173A260FE7 Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=suse.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.xenproject.org Received: from list by lists.xenproject.org with outflank-mailman.162480.297961 (Exim 4.92) (envelope-from ) id 1m9Puv-0001Av-9W; Fri, 30 Jul 2021 10:39:01 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 162480.297961; Fri, 30 Jul 2021 10:39:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1m9Puv-0001Ao-6Z; Fri, 30 Jul 2021 10:39:01 +0000 Received: by outflank-mailman (input) for mailman id 162480; Fri, 30 Jul 2021 10:38:59 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1m9Put-0001Ac-I6 for xen-devel@lists.xenproject.org; Fri, 30 Jul 2021 10:38:59 +0000 Received: from smtp-out1.suse.de (unknown [195.135.220.28]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 58642a04-f122-11eb-989c-12813bfff9fa; Fri, 30 Jul 2021 10:38:58 +0000 (UTC) Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de [192.168.254.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 8AEE222303; Fri, 30 Jul 2021 10:38:57 +0000 (UTC) Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de [192.168.254.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap1.suse-dmz.suse.de (Postfix) with ESMTPS id 49C9F1332A; Fri, 30 Jul 2021 10:38:57 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap1.suse-dmz.suse.de with ESMTPSA id OkDREMHWA2HPOAAAGKfGzw (envelope-from ); Fri, 30 Jul 2021 10:38:57 +0000 X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 58642a04-f122-11eb-989c-12813bfff9fa DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1627641537; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IL3gKsLKu1Htgmjw2itJagsBsJXMj/k7+BJ8VjbP5yU=; b=UKueawrOS2soO7K5pdL84trOzFfkOx0Hcp7NKWCsWTWCXtEKXzHJUi7DJrvBTN1ejjqWNO MJCgQuOWOyBbWgaCOmwkBxXGdb3HYvi+gOep54ehKXUvMzjAoY1RA4oCDnuibim2K0x9/m 9XvQ099RvClbgfflBomn/U9sfezMyyw= From: Juergen Gross To: xen-devel@lists.xenproject.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Juergen Gross , Boris Ostrovsky , Stefano Stabellini , Konrad Rzeszutek Wilk , =?utf-8?q?Roger_Pau_Monn?= =?utf-8?q?=C3=A9?= , Jens Axboe Subject: [PATCH v3 0/3] xen: harden blkfront against malicious backends Date: Fri, 30 Jul 2021 12:38:51 +0200 Message-Id: <20210730103854.12681-1-jgross@suse.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Xen backends of para-virtualized devices can live in dom0 kernel, dom0 user land, or in a driver domain. This means that a backend might reside in a less trusted environment than the Xen core components, so a backend should not be able to do harm to a Xen guest (it can still mess up I/O data, but it shouldn't be able to e.g. crash a guest by other means or cause a privilege escalation in the guest). Unfortunately blkfront in the Linux kernel is fully trusting its backend. This series is fixing blkfront in this regard. It was discussed to handle this as a security problem, but the topic was discussed in public before, so it isn't a real secret. It should be mentioned that a similar series has been posted some years ago by Marek Marczykowski-Górecki, but this series has not been applied due to a Xen header not having been available in the Xen git repo at that time. Additionally my series is fixing some more DoS cases. Changes in V3: - patch 3: insert missing unlock in error case (kernel test robot) - patch 3: use %#x as format for printing wrong operation value (Roger Pau Monné) Changes in V2: - put blkfront patches into own series - some minor comments addressed Juergen Gross (3): xen/blkfront: read response from backend only once xen/blkfront: don't take local copy of a request from the ring page xen/blkfront: don't trust the backend response data blindly drivers/block/xen-blkfront.c | 126 +++++++++++++++++++++++------------ 1 file changed, 84 insertions(+), 42 deletions(-)