Commit a89db445 authored by Michael S. Tsirkin's avatar Michael S. Tsirkin

vhost: block speculation of translated descriptors

iovec addresses coming from vhost are assumed to be
pre-validated, but in fact can be speculated to a value
out of range.

Userspace address are later validated with array_index_nospec so we can
be sure kernel info does not leak through these addresses, but vhost
must also not leak userspace info outside the allowed memory table to
guests.

Following the defence in depth principle, make sure
the address is not validated out of node range.
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Acked-by: default avatarJason Wang <jasowang@redhat.com>
Tested-by: default avatarJason Wang <jasowang@redhat.com>
parent cf8f1696
...@@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, ...@@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len,
_iov = iov + ret; _iov = iov + ret;
size = node->size - addr + node->start; size = node->size - addr + node->start;
_iov->iov_len = min((u64)len - s, size); _iov->iov_len = min((u64)len - s, size);
_iov->iov_base = (void __user *)(unsigned long) _iov->iov_base = (void __user *)
(node->userspace_addr + addr - node->start); ((unsigned long)node->userspace_addr +
array_index_nospec((unsigned long)(addr - node->start),
node->size));
s += size; s += size;
addr += size; addr += size;
++ret; ++ret;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment