From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f53.google.com (mail-pa0-f53.google.com [209.85.220.53]) by dpdk.org (Postfix) with ESMTP id C5BB55A92 for ; Wed, 18 Nov 2015 16:53:26 +0100 (CET) Received: by pacdm15 with SMTP id dm15so48592568pac.3 for ; Wed, 18 Nov 2015 07:53:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type:content-transfer-encoding; bh=4KRehyYxqZ/L6lb2EMg8JJPEDEsumZVr2ya5n7lzink=; b=PPUmgmkr80SZbB8hQKovNe3KH9syfhCScajv+RCKSI1P1R94seqF037QQcPigCcprP L3YQExsn5zvZJ0FVivESEQnYnWI6HSPRyuVKeegrfbBJrNnvFgnkuXeBMtZyXkSxjhTo r8wDKspnXm+CxiDUYW8/lWlAmLP9DERp7cJpHm+07wMyZlaVEXjkz/lhdeY/JgPS95HF obgFyZQMK6deHzoilFagaSKu2I+BL/brE9DYHzB0r7eiTgpSuTIIra2Mo1kX5ZB1MDc7 ESOw4SSTN/yMX0rfJuLYCRHev1z6cPV8gNAhkq4ZTiURfRqbV7Xi9M19cu5WnrboXrxa pFFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-type:content-transfer-encoding; bh=4KRehyYxqZ/L6lb2EMg8JJPEDEsumZVr2ya5n7lzink=; b=RzE5tHanq+zsiIslKHddsMbYaX2V6LqmqOI74QjOIEALvSGsqFoclttSezW5twPmy5 GtaW3jihhA06PKxh9Qjz6lWMXg0TXzioOszOwHEIVJ0/WKGZ5L81WDbJKeUQV+AOcWEP ObaQTAaMPJ0JRxnfSY6/hwfqnstUnirMG3rEMMv11C9VDBoUwrn6n998H6s46gVzzsy0 sCg2nh2e/2WcdGCVvlUquAJFGyOva0KI5eQ80TWOhEs7yB7te9Tz5dgiV0F9fERUnjYd u5iQWvDcl51dZMsz8dYjgsZWTwkUiseHhxZ680P8QX9/PjvnOqT6g1K+Qe4GPaH7GS1r rm0w== X-Gm-Message-State: ALoCoQnS590jvzTmsUs+i9DtsR+pSwv9ciWwMn7UsbSHE1rRxBEGkZ+d0tT/fL38QwVw8YRHiDls X-Received: by 10.68.130.69 with SMTP id oc5mr3075779pbb.140.1447862005938; Wed, 18 Nov 2015 07:53:25 -0800 (PST) Received: from samsung9 ([144.49.132.22]) by smtp.gmail.com with ESMTPSA id j12sm5042553pbq.55.2015.11.18.07.53.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Nov 2015 07:53:25 -0800 (PST) Date: Wed, 18 Nov 2015 07:53:18 -0800 From: Stephen Hemminger To: "Xie, Huawei" Message-ID: <20151118075318.3b51f25a@samsung9> In-Reply-To: References: <1447315353-42152-1-git-send-email-rlane@bigswitch.com> <20151112092305.GI2326@yliu-dev.sh.intel.com> <20151117132349.GT2326@yliu-dev.sh.intel.com> <20151118025655.GW2326@yliu-dev.sh.intel.com> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: "dev@dpdk.org" Subject: Re: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in update_secure_len X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 15:53:27 -0000 On Wed, 18 Nov 2015 06:13:08 +0000 "Xie, Huawei" wrote: > On 11/18/2015 10:56 AM, Yuanhan Liu wrote: > > On Tue, Nov 17, 2015 at 08:39:30AM -0800, Rich Lane wrote: > >> I don't think that adding a SIGINT handler is the right solution, though. The > >> guest app could be killed with another signal (SIGKILL). > > Good point. > > > >> Worse, a malicious or > >> buggy guest could write to just that field. vhost should not crash no matter > >> what the guest writes into the virtqueues. > Rich, exactly, that has been in our list for a long time. We should > ensure that "Any malicious guest couldn't crash host through vrings" > otherwise this vhost implementation couldn't be deployed into production > environment. > There are many other known security holes in current dpdk vhost in my mind. > A very simple example is we don't check the gpa_to_vva return value, so > you could easily put a invalid GPA to vring entry to crash vhost. > My plan is to review the vhost implementation, fix all the possible > issues in one single patch set, and make the fix performance > optimization friendly rather than fix them here and there. > Both virtio and vhost need to adopt the "other side is broken" flag model that is in Linux drivers. What this means is that the virtio and vhost driver would check parameters for consistency, and if out of bounds set a broken flag and refuse to do anything more with the device until reset.