Re: [PATCH v5] virtio-blk: Add validation for block size in config space

From: Max Gurtovoy
Date: Mon Aug 23 2021 - 05:38:40 EST

Next message: tip-bot2 for Xiaoming Ni: "[tip: locking/core] locking/semaphore: Add might_sleep() to down_*() family"
Previous message: Felipe Balbi: "Re: [PATCH v2] usb: dwc3: gadget: Stop EP0 transfers during pullup disable"
In reply to: Yongji Xie: "Re: [PATCH v5] virtio-blk: Add validation for block size in config space"
Next in thread: Yongji Xie: "Re: [PATCH v5] virtio-blk: Add validation for block size in config space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8/23/2021 12:27 PM, Yongji Xie wrote:

On Mon, Aug 23, 2021 at 5:04 PM Max Gurtovoy <mgurtovoy@xxxxxxxxxx> wrote:

On 8/23/2021 11:35 AM, Yongji Xie wrote:

On Mon, Aug 23, 2021 at 4:07 PM Max Gurtovoy <mgurtovoy@xxxxxxxxxx> wrote:

On 8/23/2021 7:31 AM, Yongji Xie wrote:

On Mon, Aug 23, 2021 at 7:17 AM Max Gurtovoy <mgurtovoy@xxxxxxxxxx> wrote:

On 8/9/2021 1:16 PM, Xie Yongji wrote:

An untrusted device might presents an invalid block size
in configuration space. This tries to add validation for it
in the validate callback and clear the VIRTIO_BLK_F_BLK_SIZE
feature bit if the value is out of the supported range.

This is not clear to me. What is untrusted device ? is it a buggy device ?

A buggy device, the devices in an encrypted VM, or a userspace device
created by VDUSE [1].

[1] https://lore.kernel.org/kvm/20210818120642.165-1-xieyongji@xxxxxxxxxxxxx/

if it's a userspace device, why don't you fix its control path code
instead of adding workarounds in the kernel driver ?

VDUSE kernel module would not touch (be aware of) the device specific
configuration space. It should be more reasonable to fix it in the
device driver. There is also some existing interface (.validate()) for
doing that.

who is emulating the device configuration space ?

A userspace daemon will initialize the device configuration space and
pass the contents to the VDUSE kernel module. The VDUSE kernel module
will handle the access of the config space from the virtio device
driver, but it doesn't need to know the contents (although we can know
that).

So you add a workaround in the guest kernel drivers instead of checking these quirks in the hypervisor ?

VDUSE kernel should enforce the security for the devices it emulates/presents to the VM.

And regardless of userspace device, we still need to fix it for other cases.

which cases ? Do you know that there is a buggy HW we need to workaround ?

No, there isn't now. But this could be a potential attack surface if
the host doesn't trust the device.

If the host doesn't trust a device, why it continues using it ?

Do you suggest we do these workarounds in all device drivers in the kernel ?

Thanks,
Yongji

Next message: tip-bot2 for Xiaoming Ni: "[tip: locking/core] locking/semaphore: Add might_sleep() to down_*() family"
Previous message: Felipe Balbi: "Re: [PATCH v2] usb: dwc3: gadget: Stop EP0 transfers during pullup disable"
In reply to: Yongji Xie: "Re: [PATCH v5] virtio-blk: Add validation for block size in config space"
Next in thread: Yongji Xie: "Re: [PATCH v5] virtio-blk: Add validation for block size in config space"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]