From patchwork Tue Mar 2 16:54:34 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Michael S. Tsirkin" X-Patchwork-Id: 46642 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [199.232.76.165]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id 0F548B7CEE for ; Wed, 3 Mar 2010 04:01:06 +1100 (EST) Received: from localhost ([127.0.0.1]:57873 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NmVSD-0001O6-9B for incoming@patchwork.ozlabs.org; Tue, 02 Mar 2010 12:00:17 -0500 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NmVQ0-0000mv-ME for qemu-devel@nongnu.org; Tue, 02 Mar 2010 11:58:00 -0500 Received: from [199.232.76.173] (port=36702 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NmVPz-0000lp-I8 for qemu-devel@nongnu.org; Tue, 02 Mar 2010 11:57:59 -0500 Received: from Debian-exim by monty-python.gnu.org with spam-scanned (Exim 4.60) (envelope-from ) id 1NmVPx-0006hF-Uk for qemu-devel@nongnu.org; Tue, 02 Mar 2010 11:57:59 -0500 Received: from mx1.redhat.com ([209.132.183.28]:46647) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1NmVPx-0006h9-In for qemu-devel@nongnu.org; Tue, 02 Mar 2010 11:57:57 -0500 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o22Gvt11024185 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 2 Mar 2010 11:57:55 -0500 Received: from redhat.com (dhcp-0-94.tlv.redhat.com [10.35.0.94]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with SMTP id o22Gvqpd010785; Tue, 2 Mar 2010 11:57:53 -0500 Date: Tue, 2 Mar 2010 18:54:34 +0200 From: "Michael S. Tsirkin" To: qemu-devel@nongnu.org, Anthony Liguori Message-ID: <20100302165434.GA8690@redhat.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.19 (2009-01-05) X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 X-detected-operating-system: by monty-python.gnu.org: Genre and OS details not recognized. Cc: Subject: [Qemu-devel] [PATCH RFC] vhost: ring: verify ring is not being moved X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org abort if it is Signed-off-by: Michael S. Tsirkin --- So the following is a simple solution for unstable ring mappings security issue: simply detect this and stop. Will repost series with this later after some testing, but this is an RFC to get early feedback if any. hw/vhost.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++--- hw/vhost.h | 3 +++ 2 files changed, 52 insertions(+), 3 deletions(-) diff --git a/hw/vhost.c b/hw/vhost.c index 3b3a109..b9e115e 100644 --- a/hw/vhost.c +++ b/hw/vhost.c @@ -256,6 +256,33 @@ static inline void vhost_dev_log_resize(struct vhost_dev* dev, uint64_t size) dev->log_size = size; } +static int vhost_verify_ring_mappings(struct vhost_dev *dev, + uint64_t start_addr, + uint64_t size) +{ + int i; + for (i = 0; i < dev->nvqs; ++i) { + struct vhost_virtqueue *vq = dev->vqs + i; + target_phys_addr_t l; + void *p; + + if (!ranges_overlap(start_addr, size, vq->ring_phys, vq->ring_size)) + continue; + l = vq->ring_size; + p = cpu_physical_memory_map(vq->ring_phys, &l, 1); + if (!p || l != vq->ring_size) { + fprintf(stderr, "Unable to map ring buffer for ring %d\n", i); + return -ENOMEM; + } + if (p != vq->ring) { + fprintf(stderr, "Ring buffer relocated for ring %d\n", i); + return -EBUSY; + } + cpu_physical_memory_unmap(p, l, 0, 0); + } + return 0; +} + static void vhost_client_set_memory(CPUPhysMemoryClient *client, target_phys_addr_t start_addr, ram_addr_t size, @@ -284,6 +311,12 @@ static void vhost_client_set_memory(CPUPhysMemoryClient *client, if (!dev->started) { return; } + + if (dev->started) { + r = vhost_verify_ring_mappings(dev, start_addr, size); + assert(r >= 0); + } + if (!dev->log_enabled) { r = ioctl(dev->control, VHOST_SET_MEM_TABLE, dev->mem); assert(r >= 0); @@ -442,6 +475,14 @@ static int vhost_virtqueue_init(struct vhost_dev *dev, goto fail_alloc_used; } + vq->ring_size = s = l = virtio_queue_get_ring_size(vdev, idx); + vq->ring_phys = a = virtio_queue_get_ring(vdev, idx); + vq->ring = cpu_physical_memory_map(a, &l, 1); + if (!vq->ring || l != s) { + r = -ENOMEM; + goto fail_alloc_ring; + } + r = vhost_virtqueue_set_addr(dev, vq, idx, dev->log_enabled); if (r < 0) { r = -errno; @@ -485,6 +526,9 @@ fail_host_notifier: vdev->binding->guest_notifier(vdev->binding_opaque, idx, false); fail_guest_notifier: fail_alloc: + cpu_physical_memory_unmap(vq->ring, virtio_queue_get_ring_size(vdev, idx), + 0, 0); +fail_alloc_ring: cpu_physical_memory_unmap(vq->used, virtio_queue_get_used_size(vdev, idx), 0, 0); fail_alloc_used: @@ -526,12 +570,14 @@ static void vhost_virtqueue_cleanup(struct vhost_dev *dev, } virtio_queue_set_last_avail_idx(vdev, idx, state.num); assert (r >= 0); + cpu_physical_memory_unmap(vq->ring, virtio_queue_get_ring_size(vdev, idx), + 0, virtio_queue_get_ring_size(vdev, idx)); cpu_physical_memory_unmap(vq->used, virtio_queue_get_used_size(vdev, idx), 0, 0); cpu_physical_memory_unmap(vq->avail, virtio_queue_get_avail_size(vdev, idx), 0, 0); cpu_physical_memory_unmap(vq->desc, virtio_queue_get_desc_size(vdev, idx), 0, 0); } int vhost_dev_init(struct vhost_dev *hdev, int devfd) diff --git a/hw/vhost.h b/hw/vhost.h index 48b52c7..86dd834 100644 --- a/hw/vhost.h +++ b/hw/vhost.h @@ -14,6 +14,9 @@ struct vhost_virtqueue { int num; unsigned long long used_phys; unsigned used_size; + void *ring; + unsigned long long ring_phys; + unsigned ring_size; }; typedef unsigned long vhost_log_chunk_t;