Re: [PATCH v2] vhost: block speculation of translated descriptors

From: Will Deacon
Date: Wed Sep 11 2019 - 12:25:10 EST

Next message: Benjamin Coddington: "Re: Regression in 5.1.20: Reading long directory fails"
Previous message: Neil Armstrong: "Re: [PATCH v3] drm: bridge/dw_hdmi: add audio sample channel status setting"
In reply to: Michael S. Tsirkin: "Re: [PATCH v2] vhost: block speculation of translated descriptors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Sep 11, 2019 at 09:52:25AM -0400, Michael S. Tsirkin wrote:
> On Wed, Sep 11, 2019 at 08:10:00AM -0400, Michael S. Tsirkin wrote:
> > iovec addresses coming from vhost are assumed to be
> > pre-validated, but in fact can be speculated to a value
> > out of range.
> >
> > Userspace address are later validated with array_index_nospec so we can
> > be sure kernel info does not leak through these addresses, but vhost
> > must also not leak userspace info outside the allowed memory table to
> > guests.
> >
> > Following the defence in depth principle, make sure
> > the address is not validated out of node range.
> >
> > Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
> > Acked-by: Jason Wang <jasowang@xxxxxxxxxx>
> > Tested-by: Jason Wang <jasowang@xxxxxxxxxx>
> > ---
>
> Cc: security@xxxxxxxxxx
>
> Pls advise on whether you'd like me to merge this directly,
> Cc stable, or handle it in some other way.

I think you're fine taking it directly, with a cc stable and a Fixes: tag.

Cheers,

Will

Next message: Benjamin Coddington: "Re: Regression in 5.1.20: Reading long directory fails"
Previous message: Neil Armstrong: "Re: [PATCH v3] drm: bridge/dw_hdmi: add audio sample channel status setting"
In reply to: Michael S. Tsirkin: "Re: [PATCH v2] vhost: block speculation of translated descriptors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]