From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by dpdk.org (Postfix) with ESMTP id CA1848DA1 for ; Wed, 18 Nov 2015 17:01:27 +0100 (CET) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga103.jf.intel.com with ESMTP; 18 Nov 2015 08:01:17 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.20,313,1444719600"; d="scan'208";a="688565183" Received: from fmsmsx105.amr.corp.intel.com ([10.18.124.203]) by orsmga003.jf.intel.com with ESMTP; 18 Nov 2015 08:01:18 -0800 Received: from fmsmsx117.amr.corp.intel.com (10.18.116.17) by FMSMSX105.amr.corp.intel.com (10.18.124.203) with Microsoft SMTP Server (TLS) id 14.3.248.2; Wed, 18 Nov 2015 08:01:03 -0800 Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by fmsmsx117.amr.corp.intel.com (10.18.116.17) with Microsoft SMTP Server (TLS) id 14.3.248.2; Wed, 18 Nov 2015 08:01:02 -0800 Received: from shsmsx101.ccr.corp.intel.com ([169.254.1.83]) by SHSMSX103.ccr.corp.intel.com ([169.254.4.138]) with mapi id 14.03.0248.002; Thu, 19 Nov 2015 00:00:55 +0800 From: "Xie, Huawei" To: Stephen Hemminger Thread-Topic: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in update_secure_len Thread-Index: AdEhyDF4iWSKtQdITxus5pSs6TsLqw== Date: Wed, 18 Nov 2015 16:00:54 +0000 Message-ID: References: <1447315353-42152-1-git-send-email-rlane@bigswitch.com> <20151112092305.GI2326@yliu-dev.sh.intel.com> <20151117132349.GT2326@yliu-dev.sh.intel.com> <20151118025655.GW2326@yliu-dev.sh.intel.com> <20151118075318.3b51f25a@samsung9> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "dev@dpdk.org" Subject: Re: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in update_secure_len X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 16:01:28 -0000 On 11/18/2015 11:53 PM, Stephen Hemminger wrote:=0A= > On Wed, 18 Nov 2015 06:13:08 +0000=0A= > "Xie, Huawei" wrote:=0A= >=0A= >> On 11/18/2015 10:56 AM, Yuanhan Liu wrote:=0A= >>> On Tue, Nov 17, 2015 at 08:39:30AM -0800, Rich Lane wrote:=0A= >>>> I don't think that adding a SIGINT handler is the right solution, thou= gh. The=0A= >>>> guest app could be killed with another signal (SIGKILL).=0A= >>> Good point.=0A= >>>=0A= >>>> Worse, a malicious or=0A= >>>> buggy guest could write to just that field. vhost should not crash no = matter=0A= >>>> what the guest writes into the virtqueues.=0A= >> Rich, exactly, that has been in our list for a long time. We should=0A= >> ensure that "Any malicious guest couldn't crash host through vrings"=0A= >> otherwise this vhost implementation couldn't be deployed into production= =0A= >> environment.=0A= >> There are many other known security holes in current dpdk vhost in my mi= nd.=0A= >> A very simple example is we don't check the gpa_to_vva return value, so= =0A= >> you could easily put a invalid GPA to vring entry to crash vhost.=0A= >> My plan is to review the vhost implementation, fix all the possible=0A= >> issues in one single patch set, and make the fix performance=0A= >> optimization friendly rather than fix them here and there.=0A= >>=0A= > Both virtio and vhost need to adopt the "other side is broken" flag=0A= > model that is in Linux drivers. What this means is that the virtio=0A= > and vhost driver would check parameters for consistency, and if out=0A= > of bounds set a broken flag and refuse to do anything more with the=0A= > device until reset.=0A= Stephen:=0A= You raise an important opinion.=0A= Current DPDK virtio driver implementation chooses to trust the vhost, so=0A= doesn't do any consistency check.=0A= What is the reason that virtio driver also needs consistency check? Is=0A= it that vhost might be buggy or that vhost might also not be trusted in=0A= some user case?=0A= /huawei=0A= >=0A= =0A=