Commit a89db445 authored Sep 08, 2019 by Michael S. Tsirkin

vhost: block speculation of translated descriptors



iovec addresses coming from vhost are assumed to be
pre-validated, but in fact can be speculated to a value
out of range.

Userspace address are later validated with array_index_nospec so we can
be sure kernel info does not leak through these addresses, but vhost
must also not leak userspace info outside the allowed memory table to
guests.

Following the defence in depth principle, make sure
the address is not validated out of node range.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Acked-by: Jason Wang <jasowang@redhat.com>
Tested-by: Jason Wang <jasowang@redhat.com>

parent cf8f1696

drivers/vhost/vhost.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len,
		_iov = iov + ret;
		size = node->size - addr + node->start;
		_iov->iov_len = min((u64)len - s, size);
		_iov->iov_base = (void __user *)(unsigned long)
		(node->userspace_addr + addr - node->start);
		_iov->iov_base = (void __user *)
		((unsigned long)node->userspace_addr +
		array_index_nospec((unsigned long)(addr - node->start),
		node->size));
		s += size;
		addr += size;
		++ret;

Admin message