Re: [RFC PATCH untested] vhost: block speculation of translated descriptors
From: Jason Wang
Date: Mon Sep 09 2019 - 21:52:17 EST
On 2019/9/9 äå10:45, Michael S. Tsirkin wrote:
On Mon, Sep 09, 2019 at 03:19:55PM +0800, Jason Wang wrote:
On 2019/9/8 äå7:05, Michael S. Tsirkin wrote:
iovec addresses coming from vhost are assumed to be
pre-validated, but in fact can be speculated to a value
out of range.
Userspace address are later validated with array_index_nospec so we can
be sure kernel info does not leak through these addresses, but vhost
must also not leak userspace info outside the allowed memory table to
guests.
Following the defence in depth principle, make sure
the address is not validated out of node range.
Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
---
drivers/vhost/vhost.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 5dc174ac8cac..0ee375fb7145 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2072,7 +2072,9 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len,
size = node->size - addr + node->start;
_iov->iov_len = min((u64)len - s, size);
_iov->iov_base = (void __user *)(unsigned long)
- (node->userspace_addr + addr - node->start);
+ (node->userspace_addr +
+ array_index_nospec(addr - node->start,
+ node->size));
s += size;
addr += size;
++ret;
I've tried this on Kaby Lake smap off metadata acceleration off using
testpmd (virtio-user) + vhost_net. I don't see obvious performance
difference with TX PPS.
Thanks
Should I push this to Linus right now then? It's a security thing so
maybe we better do it ASAP ... what's your opinion?
Yes, you can.
Acked-by: Jason Wang <jasowang@xxxxxxxxxx>