Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
all issues with allocating enough entries in the VMbus requestor.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
Changes since RFC:
- pass sentinel values for {init,reset}_request in
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 9 ++--
drivers/hv
Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding
all issues with allocating enough entries in the VMbus requestor.
Suggested-by: Michael Kelley
Signed-off-by: Andrea Parri (Microsoft)
---
drivers/hv/channel.c | 14 +++---
drivers/hv/ring_buffer.c | 12
nsfer_page' packet (all implementations), that
is known/validated to be less than or equal to the receive section
size and not smaller than the length of the RNDIS message.
Reported-by: Dexuan Cui
Suggested-by: Haiyang Zhang
Signed-off-by: Andrea Parri (Microsoft)
Fixes: 505e3f00c3f36 (
Fix the typo.
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
Fixes: 0ba35fe91ce34f ("hv_netvsc: Copy packets sent by Hyper-V out of the
receive buffer")
---
drivers/net/hyperv/rndis_filter.c | 2 +-
1 file
arios from occurring in the future.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
Fixes: 44144185951a0f ("hv_netvsc: Add validation for untrusted Hyper-V values")
---
drivers/net/hyperv/net
Patch #2 also addresses the Smatch complaint reported here:
https://lkml.kernel.org/r/YBp2oVIdMe+G%2FliJ@mwanda/
Thanks,
Andrea
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
Andrea Parri (Microsoft) (2):
hv_netvsc: Allocate the recv_buf buf
malicious host to bypass the check on the packet's
length in netvsc_receive() and hence to overflow the recv_buf buffer.
Move the allocation of the recv_buf buffers into netvsc_init_but().
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc:
supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Acked-by: Jakub Kicinski
Reviewed-by: Haiyang Zhang
Cc: "David S. Miller"
Cc: Jakub Ki
i.and...@gmail.com
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: netdev@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/
and offset fields in netvsc_filter_receive(). In this way,
the packet can no longer be modified by the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
---
Changes since v1 [1]:
- copy certain
"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: netdev@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/save the Isolation Configuration leaf
Drivers: hv: vmbus: Restrict vmbus_devices on isolated
supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Acked-by: Jakub Kicinski
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.
and offset fields in netvsc_filter_receive(). In this way,
the packet can no longer be modified by the host.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
---
drivers/net/hyperv/hyperv_ne
supposed to support SR-IOV. This reduces the footprint of the
code that will be exercised by Confidential VMs and hence the exposure
to bugs and vulnerabilities.
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
---
drivers/
# cvm
Cc: Thomas Gleixner
Cc: Ingo Molnar
Cc: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Arnd Bergmann
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: x...@kernel.org
Cc: linux-a...@vger.kernel.org
Cc: netdev@vger.kernel.org
Andrea Parri (Microsoft) (4):
x86/hyperv: Load/sa
. Ensure that outgoing packets do not have any leftover guest
memory that has not been zeroed out.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Andrii Nakryiko
Cc: Martin KaF
. Ensure that outgoing packets do not have any leftover guest
memory that has not been zeroed out.
Reported-by: Juan Vazquez
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: Alexei Starovoitov
Cc: Daniel Borkmann
Cc: Andrii Nakryiko
Cc: Martin KaF
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
Lack of validation could lead to out-of-bound reads and information
leaks (cf. usage of nvdev->chan_table[]). Check that the number of
allocated sub-channels fits into the expected range.
Suggested-by: Saruhan Karademir
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller&quo
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
Currently, VMbus drivers use pointers into guest memory as request IDs
for interactions with Hyper-V. To be more robust in the face of errors
or malicious behavior from a compromised Hyper-V, avoid exposing
guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a
bad request ID that is t
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Acked-by: Jakub Kicinski
Cc: "David S. Miller"
Cc: Jakub Kicinski
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Reviewed-by: Michael Kelley
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
---
d
Hi all,
This is a resubmission of:
https://lkml.kernel.org/r/20200907161920.71460-1-parri.and...@gmail.com
based on 5.10-rc2.
Andrea
Cc: James E.J. Bottomley
Cc: Martin K. Petersen
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: linux-s...@vger.kernel.org
Cc: netdev@vger.kernel.org
Andre
subvert an existing validation via integer overflow. Ensure that
outgoing packets do not have any leftover guest memory that has not
been zeroed out.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
subvert an existing validation via integer overflow. Ensure that
outgoing packets do not have any leftover guest memory that has not
been zeroed out.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
validating its length and offset fields in hv_pkt_iter_first().
In this way, the packet can no longer be modified by the host.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc:
integers generated by vmbus_requestor as requests
(transaction) IDs.
Signed-off-by: Andres Beltran
Co-developed-by: Andrea Parri (Microsoft)
Signed-off-by: Andrea Parri (Microsoft)
Cc: "David S. Miller"
Cc: Jakub Kicinski
Cc: netdev@vger.kernel.org
---
Changes in v7:
Currently, VMbus drivers use pointers into guest memory as request IDs
for interactions with Hyper-V. To be more robust in the face of errors
or malicious behavior from a compromised Hyper-V, avoid exposing
guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a
bad request ID that is t
30 matches
Mail list logo
