--- /dev/null
+From a89db445fbd7f1f8457b03759aa7343fa530ef6b Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Sun, 8 Sep 2019 07:04:08 -0400
+Subject: vhost: block speculation of translated descriptors
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit a89db445fbd7f1f8457b03759aa7343fa530ef6b upstream.
+
+iovec addresses coming from vhost are assumed to be
+pre-validated, but in fact can be speculated to a value
+out of range.
+
+Userspace address are later validated with array_index_nospec so we can
+be sure kernel info does not leak through these addresses, but vhost
+must also not leak userspace info outside the allowed memory table to
+guests.
+
+Following the defence in depth principle, make sure
+the address is not validated out of node range.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Cc: stable@vger.kernel.org
+Acked-by: Jason Wang <jasowang@redhat.com>
+Tested-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/vhost.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1965,8 +1965,10 @@ static int translate_desc(struct vhost_v
+ _iov = iov + ret;
+ size = node->size - addr + node->start;
+ _iov->iov_len = min((u64)len - s, size);
+- _iov->iov_base = (void __user *)(unsigned long)
+- (node->userspace_addr + addr - node->start);
++ _iov->iov_base = (void __user *)
++ ((unsigned long)node->userspace_addr +
++ array_index_nospec((unsigned long)(addr - node->start),
++ node->size));
+ s += size;
+ addr += size;
+ ++ret;
--- /dev/null
+From 060423bfdee3f8bc6e2c1bac97de24d5415e2bc4 Mon Sep 17 00:00:00 2001
+From: yongduan <yongduan@tencent.com>
+Date: Wed, 11 Sep 2019 17:44:24 +0800
+Subject: vhost: make sure log_num < in_num
+
+From: yongduan <yongduan@tencent.com>
+
+commit 060423bfdee3f8bc6e2c1bac97de24d5415e2bc4 upstream.
+
+The code assumes log_num < in_num everywhere, and that is true as long as
+in_num is incremented by descriptor iov count, and log_num by 1. However
+this breaks if there's a zero sized descriptor.
+
+As a result, if a malicious guest creates a vring desc with desc.len = 0,
+it may cause the host kernel to crash by overflowing the log array. This
+bug can be triggered during the VM migration.
+
+There's no need to log when desc.len = 0, so just don't increment log_num
+in this case.
+
+Fixes: 3a4d5c94e959 ("vhost_net: a kernel-level virtio server")
+Cc: stable@vger.kernel.org
+Reviewed-by: Lidong Chen <lidongchen@tencent.com>
+Signed-off-by: ruippan <ruippan@tencent.com>
+Signed-off-by: yongduan <yongduan@tencent.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vhost/vhost.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2074,7 +2074,7 @@ static int get_indirect(struct vhost_vir
+ /* If this is an input descriptor, increment that count. */
+ if (access == VHOST_ACCESS_WO) {
+ *in_num += ret;
+- if (unlikely(log)) {
++ if (unlikely(log && ret)) {
+ log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
+ log[*log_num].len = vhost32_to_cpu(vq, desc.len);
+ ++*log_num;
+@@ -2217,7 +2217,7 @@ int vhost_get_vq_desc(struct vhost_virtq
+ /* If this is an input descriptor,
+ * increment that count. */
+ *in_num += ret;
+- if (unlikely(log)) {
++ if (unlikely(log && ret)) {
+ log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
+ log[*log_num].len = vhost32_to_cpu(vq, desc.len);
+ ++*log_num;
projects / thirdparty / kernel / stable-queue.git / commitdiff
