Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
all issues with allocating enough entries in the VMbus requestor.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since RFC:
- pass sentinel values for {init,reset}_request in
On Fri, Apr 09, 2021 at 03:38:14PM +, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) Sent: Thursday, April
> 8, 2021 9:13 AM
> >
> > Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
> > all issues with allocating enough entries in the VM
On Fri, Apr 09, 2021 at 03:49:00PM +, Michael Kelley wrote:
> From: Andrea Parri (Microsoft) Sent: Thursday, April
> 8, 2021 9:15 AM
> >
> > Pointers to ring-buffer packets sent by Hyper-V are used within the
> > guest VM. Hyper-V can send packets with erroneous val
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 9 ++--
drivers/hv
Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
all issues with allocating enough entries in the VMbus requestor.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 14 +++---
drivers/hv/ring_buffer.c | 12
nsfer_page' packet (all implementations), that
is known/validated to be less than or equal to the receive section
size and not smaller than the length of the RNDIS message.
Reported-by: Dexuan Cui
Suggested-by: Haiyang Zhang
Signed-off-by: Andrea Parri (Microsoft)
Fixes: 505e3f00c3f36 (
Hi all,
I'm reporting two regressions following certain VMBus/VSCs hardening changes
we've been discussing 'recently', unfortunately the first regression already
touched/affects mainline while the second one is in hyperv-next:
1) [mainline]
The first regression manifests with the following messa
Fix the typo.
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
Fixes: 0ba35fe91ce34f ("hv_netvsc: Copy packets sent by Hyper-V out of the
receive buffer")
---
drivers/net/hyperv/rndis_filter.c | 2 +-
1 file
arios from occurring in the future.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
Fixes: 44144185951a0f ("hv_netvsc: Add validation for untrusted Hyper-V values")
---
drivers/net/hyperv/net
Patch #2 also addresses the Smatch complaint reported here:
https://lkml.kernel.org/r/YBp2oVIdMe+G%2FliJ@mwanda/
Thanks,
Andrea
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
Andrea Parri (Microsoft) (2):
hv_netvsc: Allocate the recv_buf buf
malicious host to bypass the check on the packet's
length in netvsc_receive() and hence to overflow the recv_buf buffer.
Move the allocation of the recv_buf buffers into netvsc_init_but().
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc:
On Tue, Feb 02, 2021 at 11:45:49AM -0800, Jakub Kicinski wrote:
> On Tue, 2 Feb 2021 09:18:43 +0100 Andrea Parri wrote:
> > Hi net maintainers,
> >
> >
> > On Sat, Jan 30, 2021 at 12:50:06AM +,
> > patchwork-bot+netdev...@kernel.org wrote:
> > > Hel
Hi net maintainers,
On Sat, Jan 30, 2021 at 12:50:06AM +, patchwork-bot+netdev...@kernel.org
wrote:
> Hello:
>
> This patch was applied to netdev/net-next.git (refs/heads/master):
>
> On Tue, 26 Jan 2021 17:29:07 +0100 you wrote:
> > Pointers to receive-buffer packets sent by Hyper-V are u
supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Acked-by: Jakub Kicinski
Reviewed-by: Haiyang Zhang
Cc: "David S. Miller"
Cc: Jakub Ki
i.and...@gmail.com
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: netdev@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/
and offset fields in netvsc_filter_receive(). In this way,
the packet can no longer be modified by the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
---
Changes since v1 [1]:
- copy certain
On Tue, Jan 26, 2021 at 12:38:47PM +0100, Andrea Parri (Microsoft) wrote:
> Pointers to receive-buffer packets sent by Hyper-V are used within the
> guest VM. Hyper-V can send packets with erroneous values or modify
> packet fields after they are processed by the guest. To defend agains
"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: netdev@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/save the Isolation Configuration leaf
Drivers: hv: vmbus: Restrict vmbus_devices on isolated
supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Acked-by: Jakub Kicinski
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.
and offset fields in netvsc_filter_receive(). In this way,
the packet can no longer be modified by the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
---
drivers/net/hyperv/hyperv_ne
> > > > @@ -544,7 +545,8 @@ static int negotiate_nvsp_ver(struct hv_device
> > > > *device,
> > > > init_packet->msg.v2_msg.send_ndis_config.capability.ieee8021q =
> > > > 1;
> > > >
> > > > if (nvsp_ver >= NVSP_PROTOCOL_VERSION_5) {
> > > > -
> > > > init_packet->ms
> > @@ -544,7 +545,8 @@ static int negotiate_nvsp_ver(struct hv_device
> > *device,
> > init_packet->msg.v2_msg.send_ndis_config.capability.ieee8021q = 1;
> >
> > if (nvsp_ver >= NVSP_PROTOCOL_VERSION_5) {
> > - init_packet->msg.v2_msg.send_ndis_config.capability.sriov =
> > 1;
>
supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
---
drivers/
# cvm
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: netdev@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/sa
On Sun, Jan 17, 2021 at 03:10:32PM +, Wei Liu wrote:
> On Sat, Jan 16, 2021 at 02:02:01PM +0100, Andrea Parri wrote:
> > On Fri, Jan 15, 2021 at 08:30:22PM -0800, Jakub Kicinski wrote:
> > > On Thu, 14 Jan 2021 21:26:28 +0100 Andrea Parri (Microsoft) wrote:
> > > >
On Fri, Jan 15, 2021 at 08:30:22PM -0800, Jakub Kicinski wrote:
> On Thu, 14 Jan 2021 21:26:28 +0100 Andrea Parri (Microsoft) wrote:
> > For additional robustness in the face of Hyper-V errors or malicious
> > behavior, validate all values that originate from packets that Hyper-V
. Ensure that outgoing packets do not have any leftover guest
memory that has not been zeroed out.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Andrii Nakryiko
Cc: Martin KaF
. Ensure that outgoing packets do not have any leftover guest
memory that has not been zeroed out.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Andrii Nakryiko
Cc: Martin KaF
On Wed, Dec 23, 2020 at 02:47:56AM +, Michael Kelley wrote:
> From: Sasha Levin Sent: Tuesday, December 22, 2020 6:22 PM
> >
> > From: "Andrea Parri (Microsoft)"
> >
> > [ Upstream commit 206ad34d52a2f1205c84d08c12fc116aad0eb407 ]
> >
> &
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
> > @@ -419,17 +446,52 @@ static u32 hv_pkt_iter_avail(const struct
> > hv_ring_buffer_info *rbi)
> > struct vmpacket_descriptor *hv_pkt_iter_first(struct vmbus_channel
> > *channel)
> > {
> > struct hv_ring_buffer_info *rbi = &channel->inbound;
> > - struct vmpacket_descriptor *desc;
> >
On Mon, Nov 09, 2020 at 11:07:27AM +0100, Andrea Parri (Microsoft) wrote:
> From: Andres Beltran
>
> Pointers to ring-buffer packets sent by Hyper-V are used within the
> guest VM. Hyper-V can send packets with erroneous values or modify
> packet fields after they are processed b
Lack of validation could lead to out-of-bound reads and information
leaks (cf. usage of nvdev->chan_table[]). Check that the number of
allocated sub-channels fits into the expected range.
Suggested-by: Saruhan Karademir
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller&quo
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
Currently, VMbus drivers use pointers into guest memory as request IDs
for interactions with Hyper-V. To be more robust in the face of errors
or malicious behavior from a compromised Hyper-V, avoid exposing
guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a
bad request ID that is t
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Acked-by: Jakub Kicinski
Cc: "David S. Miller"
Cc: Jakub Kicinski
On Wed, Nov 04, 2020 at 01:45:05PM -0800, Jakub Kicinski wrote:
> On Wed, 4 Nov 2020 13:43:48 -0800 Jakub Kicinski wrote:
> > On Wed, 4 Nov 2020 16:40:27 +0100 Andrea Parri (Microsoft) wrote:
> > > From: Andres Beltran
> > >
> > > Currently, pointers to g
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
---
d
Hi all,
This is a resubmission of:
https://lkml.kernel.org/r/20200907161920.71460-1-parri.and...@gmail.com
based on 5.10-rc2.
Andrea
Cc: James E.J. Bottomley
Cc: Martin K. Petersen
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: linux-s...@vger.kernel.org
Cc: netdev@vger.kernel.org
Andre
subvert an existing validation via integer overflow. Ensure that
outgoing packets do not have any leftover guest memory that has not
been zeroed out.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
> > @@ -740,12 +755,45 @@ static void netvsc_send_completion(struct
> > net_device *ndev,
> >int budget)
> > {
> > const struct nvsp_message *nvsp_packet = hv_pkt_data(desc);
> > + u32 msglen = hv_pkt_datalen(desc);
> > +
> > + /* Ensure packet is big enough
subvert an existing validation via integer overflow. Ensure that
outgoing packets do not have any leftover guest memory that has not
been zeroed out.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
---
Changes in v7:
Currently, VMbus drivers use pointers into guest memory as request IDs
for interactions with Hyper-V. To be more robust in the face of errors
or malicious behavior from a compromised Hyper-V, avoid exposing
guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a
bad request ID that is t
Hi Haiyang,
[I'm resuming this work by Andres. Sorry for the delay.]
> > switch (nvsp_packet->hdr.msg_type) {
> > case NVSP_MSG_TYPE_INIT_COMPLETE:
> > case NVSP_MSG1_TYPE_SEND_RECV_BUF_COMPLETE:
> > case NVSP_MSG1_TYPE_SEND_SEND_BUF_COMPLETE:
> > case NVSP_MSG5_TYPE_SUBCHAN
espectively.
>
> Thanks.
> Andres Beltran
>
> Tested-by: Andrea Parri
Em, I don't expect the changes introduced since v1 to have any observable
effects, but I really don't know: I should be able to complete my testing
of this by tomorrow or so; for now, please just ignore thi
On Fri, Jun 26, 2020 at 01:42:27PM +, Wei Liu wrote:
> On Thu, Jun 25, 2020 at 11:37:20AM -0400, Andres Beltran wrote:
> > From: Andres Beltran (Microsoft)
> >
> > Currently, VMbus drivers use pointers into guest memory as request IDs
> > for interactions with Hyper-V. To be more robust in th
hardening
For the series,
Tested-by: Andrea Parri
Thanks,
Andrea
On Fri, May 31, 2019 at 08:45:47AM -0700, Eric Dumazet wrote:
> On 5/31/19 7:45 AM, Herbert Xu wrote:
> > In this case the code doesn't need them because an implicit
> > barrier() (which is *stronger* than READ_ONCE/WRITE_ONCE) already
> > exists in both places.
> I have already explained that t
Because READ_ONCE() now implies smp_read_barrier_depends(), the
smp_read_barrier_depends() in __ptr_ring_consume() is redundant;
this commit removes it and updates the comments.
Signed-off-by: Andrea Parri
Cc: "David S. Miller"
Cc: "Michael S. Tsirkin"
Cc: Jason Wang
Cc
The member (u32) "num_active_agg" of struct qfq_sched has been unused
since its introduction in 462dbc9101acd38e92eda93c0726857517a24bbd
"pkt_sched: QFQ Plus: fair-queueing service at DRR cost" and (AFAICT)
there is no active plan to use it; this removes the member.
Signed-
The control !hlist_unhashed() in qfq_destroy_agg() is unnecessary
because already performed in hlist_del_init(), so remove it.
Signed-off-by: Andrea Parri
---
net/sched/sch_qfq.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
The control !hlist_unhashed() in qfq_destroy_agg() is unnecessary
because already performed in hlist_del_init(), so remove it.
Signed-off-by: Andrea Parri
---
net/sched/sch_qfq.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
54 matches
Mail list logo
