[PATCH v2] Drivers: hv: vmbus: Initialize unload_event statically

2021-04-19 Thread Andrea Parri (Microsoft)
If a malicious or compromised Hyper-V sends a spurious message of type CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will call complete() on an uninitialized event, and cause an oops. Reported-by: Michael Kelley Signed-off-by: Andrea Parri (Microsoft) --- Changes since v1[1

[PATCH] Drivers: hv: vmbus: Initialize unload_event statically

2021-04-16 Thread Andrea Parri (Microsoft)
If a malicious or compromised Hyper-V sends a spurious message of type CHANNELMSG_UNLOAD_RESPONSE, the function vmbus_unload_response() will call complete() on an uninitialized event, and cause an oops. Reported-by: Michael Kelley Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv

[PATCH v3 3/3] Drivers: hv: vmbus: Check for pending channel interrupts before taking a CPU offline

2021-04-16 Thread Andrea Parri (Microsoft)
Check that enough time has passed such that the modify channel message has been processed before taking a CPU offline. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/hv.c | 56 ++--- 1 file changed, 53 insertions(+), 3 deletions(-) diff --git

[PATCH v3 2/3] Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce CHANNELMSG_MODIFYCHANNEL_RESPONSE

2021-04-16 Thread Andrea Parri (Microsoft)
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE message type, and code to receive and process such a message. Signed-off-by: Andrea Parri (Microsoft) Reviewed-by: Michael Kelley --- drivers/hv/channel.c | 99 --- drivers/hv/channel_mgmt.c | 42

[PATCH v3 1/3] Drivers: hv: vmbus: Introduce and negotiate VMBus protocol version 5.3

2021-04-16 Thread Andrea Parri (Microsoft)
Hyper-V has added VMBus protocol version 5.3. Allow Linux guests to negotiate the new version on version of Hyper-V that support it. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/connection.c | 3 ++- include/linux/hyperv.h | 2 ++ 2 files changed, 4 insertions(+), 1 deletion

[PATCH v3 0/3] Drivers: hv: vmbus: Introduce CHANNELMSG_MODIFYCHANNEL_RESPONSE

2021-04-16 Thread Andrea Parri (Microsoft)
Parri (Microsoft) (3): Drivers: hv: vmbus: Introduce and negotiate VMBus protocol version 5.3 Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce CHANNELMSG_MODIFYCHANNEL_RESPONSE Drivers: hv: vmbus: Check for pending channel interrupts before taking a CPU offline drivers/hv/channel.c

[PATCH hyperv-next] scsi: storvsc: Use blk_mq_unique_tag() to generate requestIDs

2021-04-15 Thread Andrea Parri (Microsoft)
Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding all issues with allocating enough entries in the VMbus requestor. Suggested-by: Michael Kelley Signed-off-by: Andrea Parri (Microsoft) --- Changes since RFC: - pass sentinel values for {init,reset}_request

[PATCH v2 3/3] Drivers: hv: vmbus: Check for pending channel interrupts before taking a CPU offline

2021-04-14 Thread Andrea Parri (Microsoft)
Check that enough time has passed such that the modify channel message has been processed before taking a CPU offline. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/hv.c | 49 + 1 file changed, 49 insertions(+) diff --git a/drivers/hv

[PATCH v2 2/3] Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce CHANNELMSG_MODIFYCHANNEL_RESPONSE

2021-04-14 Thread Andrea Parri (Microsoft)
Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE message type, and code to receive and process such a message. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel.c | 99 --- drivers/hv/channel_mgmt.c | 42 + drivers/hv

[PATCH v2 0/3] Drivers: hv: vmbus: Introduce CHANNELMSG_MODIFYCHANNEL_RESPONSE

2021-04-14 Thread Andrea Parri (Microsoft)
changes [1] https://lkml.kernel.org/r/20201126191210.13115-1-parri.and...@gmail.com Andrea Parri (Microsoft) (3): Drivers: hv: vmbus: Introduce and negotiate VMBus protocol version 5.3 Drivers: hv: vmbus: Drivers: hv: vmbus: Introduce CHANNELMSG_MODIFYCHANNEL_RESPONSE Drivers: hv: vmbus: Check

[PATCH v2 1/3] Drivers: hv: vmbus: Introduce and negotiate VMBus protocol version 5.3

2021-04-14 Thread Andrea Parri (Microsoft)
Hyper-V has added VMBus protocol version 5.3. Allow Linux guests to negotiate the new version on version of Hyper-V that support it. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/connection.c | 3 ++- include/linux/hyperv.h | 2 ++ 2 files changed, 4 insertions(+), 1 deletion

[PATCH hyperv-next] Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer

2021-04-08 Thread Andrea Parri (Microsoft)
validating its length and offset fields in hv_pkt_iter_first(). In this way, the packet can no longer be modified by the host. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel.c | 9 ++-- drivers/hv

[RFC PATCH hyperv-next] scsi: storvsc: Use blk_mq_unique_tag() to generate requestIDs

2021-04-08 Thread Andrea Parri (Microsoft)
Use blk_mq_unique_tag() to generate requestIDs for StorVSC, avoiding all issues with allocating enough entries in the VMbus requestor. Suggested-by: Michael Kelley Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel.c | 14 +++--- drivers/hv/ring_buffer.c | 12

[PATCH] Drivers: hv: vmbus: Drop error message when 'No request id available'

2021-03-01 Thread Andrea Parri (Microsoft)
conditional/debug-only. Suggested-by: Michael Kelley Signed-off-by: Andrea Parri (Microsoft) Fixes: e8b7db38449ac ("Drivers: hv: vmbus: Add vmbus_requestor data structure for VMBus hardening") --- drivers/hv/ring_buffer.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/hv/ring_

[PATCH net] hv_netvsc: Fix validation in netvsc_linkstatus_callback()

2021-03-01 Thread Andrea Parri (Microsoft)
' packet (all implementations), that is known/validated to be less than or equal to the receive section size and not smaller than the length of the RNDIS message. Reported-by: Dexuan Cui Suggested-by: Haiyang Zhang Signed-off-by: Andrea Parri (Microsoft) Fixes: 505e3f00c3f36 ("hv_netvsc

[PATCH net-next 2/2] hv_netvsc: Load and store the proper (NBL_HASH_INFO) per-packet info

2021-02-03 Thread Andrea Parri (Microsoft)
Fix the typo. Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org Fixes: 0ba35fe91ce34f ("hv_netvsc: Copy packets sent by Hyper-V out of the receive buffer") --- drivers/net/hyperv/rndis_filter.c | 2 +- 1 file

[PATCH net] hv_netvsc: Reset the RSC count if NVSP_STAT_FAIL in netvsc_receive()

2021-02-03 Thread Andrea Parri (Microsoft)
arios from occurring in the future. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org Fixes: 44144185951a0f ("hv_netvsc: Add validation for untrusted Hyper-V values") --- drivers/net/hyperv/net

[PATCH net-next 1/2] hv_netvsc: Allocate the recv_buf buffers after NVSP_MSG1_TYPE_SEND_RECV_BUF

2021-02-03 Thread Andrea Parri (Microsoft)
by a malicious host to bypass the check on the packet's length in netvsc_receive() and hence to overflow the recv_buf buffer. Move the allocation of the recv_buf buffers into netvsc_init_but(). Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jaku

[PATCH net-next 0/2] Amend "hv_netvsc: Copy packets sent by Hyper-V out of the receive buffer"

2021-02-03 Thread Andrea Parri (Microsoft)
Patch #2 also addresses the Smatch complaint reported here: https://lkml.kernel.org/r/YBp2oVIdMe+G%2FliJ@mwanda/ Thanks, Andrea Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org Andrea Parri (Microsoft) (2): hv_netvsc: Allocate the recv_buf buf

[PATCH v3 hyperv-next 2/4] Drivers: hv: vmbus: Restrict vmbus_devices on isolated guests

2021-02-01 Thread Andrea Parri (Microsoft)
and vulnerabilities. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel_mgmt.c | 38 ++ include/linux/hyperv.h| 1 + 2 files changed, 39 insertions(+) diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c index 68950a1e4b638..f0ed730e2e4e4

[PATCH v3 hyperv-next 1/4] x86/hyperv: Load/save the Isolation Configuration leaf

2021-02-01 Thread Andrea Parri (Microsoft)
), and 'NONE' (no isolation). Signed-off-by: Andrea Parri (Microsoft) Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Arnd Bergmann Cc: x...@kernel.org Cc: linux-a...@vger.kernel.org --- arch/x86/hyperv/hv_init.c | 15 +++ arch/x

[PATCH v3 hyperv-next 3/4] Drivers: hv: vmbus: Enforce 'VMBus version >= 5.2' on isolated guests

2021-02-01 Thread Andrea Parri (Microsoft)
Restrict the protocol version(s) that will be negotiated with the host to be 5.2 or greater if the guest is running isolated. This reduces the footprint of the code that will be exercised by Confidential VMs and hence the exposure to bugs and vulnerabilities. Signed-off-by: Andrea Parri

[PATCH v3 hyperv-next 4/4] hv_netvsc: Restrict configurations on isolated guests

2021-02-01 Thread Andrea Parri (Microsoft)
are not supposed to support SR-IOV. This reduces the footprint of the code that will be exercised by Confidential VMs and hence the exposure to bugs and vulnerabilities. Signed-off-by: Andrea Parri (Microsoft) Acked-by: Jakub Kicinski Reviewed-by: Haiyang Zhang Cc: "David S. Miller" Cc: Jakub Ki

[PATCH v3 hyperv-next 0/4] Drivers: hv: vmbus: Restrict devices and configurations on 'isolated' guests

2021-02-01 Thread Andrea Parri (Microsoft)
Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Arnd Bergmann Cc: "David S. Miller" Cc: Jakub Kicinski Cc: x...@kernel.org Cc: linux-a...@vger.kernel.org Cc: net...@vger.kernel.org Andrea Parri (Microsoft) (4): x86/hyperv: Load/save the Isolatio

[PATCH v2 net-next] hv_netvsc: Copy packets sent by Hyper-V out of the receive buffer

2021-01-26 Thread Andrea Parri (Microsoft)
and offset fields in netvsc_filter_receive(). In this way, the packet can no longer be modified by the host. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org --- Changes since v1 [1]: - copy ce

[PATCH v2 1/4] x86/hyperv: Load/save the Isolation Configuration leaf

2021-01-26 Thread Andrea Parri (Microsoft)
), and 'NONE' (no isolation). Signed-off-by: Andrea Parri (Microsoft) Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Arnd Bergmann Cc: x...@kernel.org Cc: linux-a...@vger.kernel.org --- arch/x86/hyperv/hv_init.c | 15 +++ arch/x

[PATCH v2 0/4] Drivers: hv: vmbus: Restrict devices and configurations on 'isolated' guests

2021-01-26 Thread Andrea Parri (Microsoft)
" Cc: Arnd Bergmann Cc: "David S. Miller" Cc: Jakub Kicinski Cc: x...@kernel.org Cc: linux-a...@vger.kernel.org Cc: net...@vger.kernel.org Andrea Parri (Microsoft) (4): x86/hyperv: Load/save the Isolation Configuration leaf Drivers: hv: vmbus: Restrict vmbus_devices on isolated

[PATCH v2 4/4] hv_netvsc: Restrict configurations on isolated guests

2021-01-26 Thread Andrea Parri (Microsoft)
are not supposed to support SR-IOV. This reduces the footprint of the code that will be exercised by Confidential VMs and hence the exposure to bugs and vulnerabilities. Signed-off-by: Andrea Parri (Microsoft) Acked-by: Jakub Kicinski Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.

[PATCH v2 2/4] Drivers: hv: vmbus: Restrict vmbus_devices on isolated guests

2021-01-26 Thread Andrea Parri (Microsoft)
and vulnerabilities. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel_mgmt.c | 36 include/linux/hyperv.h| 1 + 2 files changed, 37 insertions(+) diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c index 68950a1e4b638..774ee19e3e90d

[PATCH v2 3/4] Drivers: hv: vmbus: Enforce 'VMBus version >= 5.2' on isolated guests

2021-01-26 Thread Andrea Parri (Microsoft)
Restrict the protocol version(s) that will be negotiated with the host to be 5.2 or greater if the guest is running isolated. This reduces the footprint of the code that will be exercised by Confidential VMs and hence the exposure to bugs and vulnerabilities. Signed-off-by: Andrea Parri

[PATCH net-next] hv_netvsc: Copy packets sent by Hyper-V out of the receive buffer

2021-01-26 Thread Andrea Parri (Microsoft)
and offset fields in netvsc_filter_receive(). In this way, the packet can no longer be modified by the host. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org --- drivers/net/hyperv/hyperv_ne

[PATCH 0/4] Drivers: hv: vmbus: Restrict devices and configurations on 'isolated' guests

2021-01-19 Thread Andrea Parri (Microsoft)
: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Arnd Bergmann Cc: "David S. Miller" Cc: Jakub Kicinski Cc: x...@kernel.org Cc: linux-a...@vger.kernel.org Cc: net...@vger.kernel.org Andrea Parri (Microsoft) (4): x86/hyperv: Load/save the Iso

[PATCH 2/4] Drivers: hv: vmbus: Restrict vmbus_devices on isolated guests

2021-01-19 Thread Andrea Parri (Microsoft)
and vulnerabilities. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel_mgmt.c | 36 include/linux/hyperv.h| 1 + 2 files changed, 37 insertions(+) diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c index 68950a1e4b638..774ee19e3e90d

[PATCH 4/4] hv_netvsc: Restrict configurations on isolated guests

2021-01-19 Thread Andrea Parri (Microsoft)
are not supposed to support SR-IOV. This reduces the footprint of the code that will be exercised by Confidential VMs and hence the exposure to bugs and vulnerabilities. Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org --- drivers/

[PATCH 1/4] x86/hyperv: Load/save the Isolation Configuration leaf

2021-01-19 Thread Andrea Parri (Microsoft)
), and 'NONE' (no isolation). Signed-off-by: Andrea Parri (Microsoft) Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: "H. Peter Anvin" Cc: Arnd Bergmann Cc: x...@kernel.org Cc: linux-a...@vger.kernel.org --- arch/x86/hyperv/hv_init.c | 15 +++ arch/x

[PATCH 3/4] Drivers: hv: vmbus: Enforce 'VMBus version >= 5.2' on isolated guests

2021-01-19 Thread Andrea Parri (Microsoft)
Restrict the protocol version(s) that will be negotiated with the host to be 5.2 or greater if the guest is running isolated. This reduces the footprint of the code that will be exercised by Confidential VMs and hence the exposure to bugs and vulnerabilities. Signed-off-by: Andrea Parri

[PATCH v2] hv_netvsc: Add (more) validation for untrusted Hyper-V values

2021-01-14 Thread Andrea Parri (Microsoft)
. Ensure that outgoing packets do not have any leftover guest memory that has not been zeroed out. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Andrii Nakryiko Cc: Martin KaF

[PATCH] hv_netvsc: Add (more) validation for untrusted Hyper-V values

2021-01-07 Thread Andrea Parri (Microsoft)
. Ensure that outgoing packets do not have any leftover guest memory that has not been zeroed out. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Andrii Nakryiko Cc: Martin KaF

[PATCH 3/3] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()

2020-12-17 Thread Andrea Parri (Microsoft)
Check that the packet is of the expected size at least, don't copy data past the packet. Reported-by: Saruhan Karademir Signed-off-by: Andrea Parri (Microsoft) Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-s...@vger.kernel.org --- drivers/scsi/storvsc_drv.

[PATCH 2/3] scsi: storvsc: Resolve data race in storvsc_probe()

2020-12-17 Thread Andrea Parri (Microsoft)
-by: Dexuan Cui Signed-off-by: Andrea Parri (Microsoft) Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-s...@vger.kernel.org --- drivers/scsi/storvsc_drv.c | 45 +- 1 file changed, 25 insertions(+), 20 deletions(-) diff

[PATCH 1/3] scsi: storvsc: Fix max_outstanding_req_per_channel for Win8 and newer

2020-12-17 Thread Andrea Parri (Microsoft)
-off-by: Andrea Parri (Microsoft) Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-s...@vger.kernel.org --- drivers/scsi/storvsc_drv.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c

[PATCH 0/3] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback() -- Take 2

2020-12-17 Thread Andrea Parri (Microsoft)
tch 1/3 emerged from internal review of these two patches and is a related fix. Thanks, Andrea Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-s...@vger.kernel.org Andrea Parri (Microsoft) (3): scsi: storvsc: Fix max_outstanding_req_per_channel for Win8 and

[PATCH] Revert "scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()"

2020-12-11 Thread Andrea Parri (Microsoft)
. Let's put the new validation aside until a proper solution for that race condition is in place. Signed-off-by: Andrea Parri (Microsoft) Cc: Dexuan Cui Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-s...@vger.kernel.org --- drivers/scsi/storvsc_drv.c | 5 -

[PATCH v3 3/6] Drivers: hv: vmbus: Copy the hv_message in vmbus_on_msg_dpc()

2020-12-08 Thread Andrea Parri (Microsoft)
Since the message is in memory shared with the host, an erroneous or a malicious Hyper-V could 'corrupt' the message while vmbus_on_msg_dpc() or individual message handlers are executing. To prevent it, copy the message into private memory. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri

[PATCH v3 1/6] Drivers: hv: vmbus: Initialize memory to be sent to the host

2020-12-08 Thread Andrea Parri (Microsoft)
, potentially leaking guest data. Zero initialize such fields to avoid leaking sensitive information to the host. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) Reviewed-by: Michael Kelley --- Changes since v2: - Add Reviewed-by: tag drivers/hv/channel.c | 4 ++-- 1 file changed

[PATCH v3 5/6] Drivers: hv: vmbus: Resolve race condition in vmbus_onoffer_rescind()

2020-12-08 Thread Andrea Parri (Microsoft)
to an use-after-free. Add a new flag to the channel structure to make sure that only one instance of vmbus_onoffer_rescind() can get the reference to the channel object. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel_mgmt.c | 12 include

[PATCH v3 6/6] Drivers: hv: vmbus: Do not allow overwriting vmbus_connection.channels[]

2020-12-08 Thread Andrea Parri (Microsoft)
not allow overwriting an entry vmbus_connection.channels[]. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- Changes since v2: - Release channel_mutex before 'return' in vmbus_onoffer() error path drivers/hv/channel_mgmt.c | 40 +-- drivers/hv

[PATCH v3 2/6] Drivers: hv: vmbus: Reduce number of references to message in vmbus_on_msg_dpc()

2020-12-08 Thread Andrea Parri (Microsoft)
Simplify the function by removing various references to the hv_message 'msg', introduce local variables 'msgtype' and 'payload_size'. Suggested-by: Juan Vazquez Suggested-by: Michael Kelley Signed-off-by: Andrea Parri (Microsoft) --- Changes since v2: - Squash patches #2 and #3 - Revisit

[PATCH v3 0/6] Drivers: hv: vmbus: More VMBus-hardening changes

2020-12-08 Thread Andrea Parri (Microsoft)
Integrating feedback from Juan, Michael and Wei. [1] Changelogs are inline/in the patches. Thanks, Andrea [1] https://lkml.kernel.org/r/20201202092214.13520-1-parri.and...@gmail.com Andrea Parri (Microsoft) (6): Drivers: hv: vmbus: Initialize memory to be sent to the host Drivers: hv

[PATCH v3 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()

2020-12-08 Thread Andrea Parri (Microsoft)
ree can be avoided by noticing that this load/check is redundant if device_obj is non-NULL: primary_channel must be NULL if device_obj is non-NULL, cf. vmbus_add_channel_work(). Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling") Reported-by: Juan Vazquez Signed-off-by:

[PATCH v3] Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer

2020-12-07 Thread Andrea Parri (Microsoft)
validating its length and offset fields in hv_pkt_iter_first(). In this way, the packet can no longer be modified by the host. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc:

[PATCH v2 5/7] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()

2020-12-02 Thread Andrea Parri (Microsoft)
ree can be avoided by noticing that this load/check is redundant if device_obj is non-NULL: primary_channel must be NULL if device_obj is non-NULL, cf. vmbus_add_channel_work(). Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling") Reported-by: Juan Vazquez Signed-off-by:

[PATCH v2 6/7] Drivers: hv: vmbus: Resolve race condition in vmbus_onoffer_rescind()

2020-12-02 Thread Andrea Parri (Microsoft)
to an use-after-free. Add a new flag to the channel structure to make sure that only one instance of vmbus_onoffer_rescind() can get the reference to the channel object. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel_mgmt.c | 12 include

[PATCH v2 3/7] Drivers: hv: vmbus: Avoid double fetch of payload_size in vmbus_on_msg_dpc()

2020-12-02 Thread Andrea Parri (Microsoft)
vmbus_on_msg_dpc() double fetches from payload_size. The double fetch can lead to a buffer overflow when (mem)copying the hv_message object. Avoid the double fetch by saving the value of payload_size into a local variable. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft

[PATCH v2 4/7] Drivers: hv: vmbus: Copy the hv_message object in vmbus_on_msg_dpc()

2020-12-02 Thread Andrea Parri (Microsoft)
The hv_message object is in memory shared with the host. To prevent an erroneous or a malicious host from 'corrupting' such object, copy the object into private memory. Suggested-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/vmbus_drv.c | 26

[PATCH v2 7/7] Drivers: hv: vmbus: Do not allow overwriting vmbus_connection.channels[]

2020-12-02 Thread Andrea Parri (Microsoft)
not allow overwriting an entry vmbus_connection.channels[]. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- Changes since v1: - Don't corrupt oldchannel if offer->child_relid is invalid drivers/hv/channel_mgmt.c | 38 -- drivers

[PATCH v2 0/7] Drivers: hv: vmbus: More VMBus-hardening changes

2020-12-02 Thread Andrea Parri (Microsoft)
Hi all, This is v2 of [1], integrating feedback from Juan and Wei and adding patch 4/7 (after Juan's suggestion). Changelogs are in the patches. Thanks, Andrea [1] https://lkml.kernel.org/r/20201118143649.108465-1-parri.and...@gmail.com Andrea Parri (Microsoft) (7): Drivers: hv: vmbus

[PATCH v2 1/7] Drivers: hv: vmbus: Initialize memory to be sent to the host

2020-12-02 Thread Andrea Parri (Microsoft)
, potentially leaking guest data. Zero initialize such fields to avoid leaking sensitive information to the host. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hv/channel.c b

[PATCH v2 2/7] Drivers: hv: vmbus: Avoid double fetch of msgtype in vmbus_on_msg_dpc()

2020-12-02 Thread Andrea Parri (Microsoft)
ing the value of msgtype into a local variable. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/vmbus_drv.c | 18 +- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index 0a2711aa63

[PATCH] Drivers: hv: vmbus: Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE message type

2020-11-26 Thread Andrea Parri (Microsoft)
a CHANNELMSG_MODIFYCHANNEL message associated to that CPU." Introduce the CHANNELMSG_MODIFYCHANNEL_RESPONSE(24) message type, which embodies the type of the CHANNELMSG_MODIFYCHANNEL ACK. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel.c | 108 +

[PATCH] hv_netvsc: Validate number of allocated sub-channels

2020-11-18 Thread Andrea Parri (Microsoft)
Lack of validation could lead to out-of-bound reads and information leaks (cf. usage of nvdev->chan_table[]). Check that the number of allocated sub-channels fits into the expected range. Suggested-by: Saruhan Karademir Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller&quo

[PATCH] scsi: storvsc: Validate length of incoming packet in storvsc_on_channel_callback()

2020-11-18 Thread Andrea Parri (Microsoft)
Check that the packet is of the expected size at least, don't copy data past the packet. Reported-by: Saruhan Karademir Signed-off-by: Andrea Parri (Microsoft) Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-s...@vger.kernel.org --- Based on hyperv-

[PATCH 5/6] Drivers: hv: vmbus: Resolve race condition in vmbus_onoffer_rescind()

2020-11-18 Thread Andrea Parri (Microsoft)
to an use-after-free. Add a new flag to the channel structure to make sure that only one instance of vmbus_onoffer_rescind() can get the reference to the channel object. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel_mgmt.c | 12 include

[PATCH 3/6] Drivers: hv: vmbus: Avoid double fetch of payload_size in vmbus_on_msg_dpc()

2020-11-18 Thread Andrea Parri (Microsoft)
vmbus_on_msg_dpc() double fetches from payload_size. The double fetch can lead to a buffer overflow when (mem)copying the hv_message object. Avoid the double fetch by saving the value of payload_size into a local variable. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft

[PATCH 6/6] Drivers: hv: vmbus: Do not allow overwriting vmbus_connection.channels[]

2020-11-18 Thread Andrea Parri (Microsoft)
not allow overwriting an entry vmbus_connection.channels[]. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel_mgmt.c | 30 ++ drivers/hv/hyperv_vmbus.h | 2 +- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/drivers/hv

[PATCH 1/6] Drivers: hv: vmbus: Initialize memory to be sent to the host

2020-11-18 Thread Andrea Parri (Microsoft)
, potentially leaking guest data. Zero initialize such fields to avoid leaking sensitive information to the host. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hv/channel.c b

[PATCH 4/6] Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind()

2020-11-18 Thread Andrea Parri (Microsoft)
ree can be avoided by noticing that this load/check is redundant if device_obk is non-NULL: primary_channel must be NULL if device_obj is non-NULL, cf. vmbus_add_channel_work(). Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel_mgmt.c | 3 +-- 1 file changed

[PATCH 2/6] Drivers: hv: vmbus: Avoid double fetch of msgtype in vmbus_on_msg_dpc()

2020-11-18 Thread Andrea Parri (Microsoft)
ing the value of msgtype into a local variable. Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/vmbus_drv.c | 18 +- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index 0a2711aa63

[PATCH 0/6] Drivers: hv: vmbus: More VMBus-hardening changes

2020-11-18 Thread Andrea Parri (Microsoft)
Hi all, This set is a continuation of the work for hardening the VMBus drivers against an erroneous or malicious host. This is based on hyperv-next. Thanks, Andrea Andrea Parri (Microsoft) (6): Drivers: hv: vmbus: Initialize memory to be sent to the host Drivers: hv: vmbus: Avoid double

[PATCH v2] Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer

2020-11-09 Thread Andrea Parri (Microsoft)
validating its length and offset fields in hv_pkt_iter_first(). In this way, the packet can no longer be modified by the host. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc:

[PATCH v4] hv_utils: Add validation for untrusted Hyper-V values

2020-11-09 Thread Andrea Parri (Microsoft)
of the icversion_data array in vmbus_prep_negotiate_resp(). Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) --- Changes in v3: - Add size check for icframe_vercnt and icmsg_vercnt Changes in v2: - Use ratelimited form of kernel

[PATCH v9 3/3] hv_netvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening

2020-11-09 Thread Andrea Parri (Microsoft)
integers generated by vmbus_requestor as requests (transaction) IDs. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Reviewed-by: Michael Kelley Acked-by: Jakub Kicinski Cc: "David S. Miller" Cc: Jakub Kicinsk

[PATCH v9 2/3] scsi: storvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening

2020-11-09 Thread Andrea Parri (Microsoft)
integers generated by vmbus_requestor as requests (transaction) IDs. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Reviewed-by: Michael Kelley Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-

[PATCH v9 0/3] Drivers: hv: vmbus: vmbus_requestor data structure for VMBus hardening

2020-11-09 Thread Andrea Parri (Microsoft)
Currently, VMbus drivers use pointers into guest memory as request IDs for interactions with Hyper-V. To be more robust in the face of errors or malicious behavior from a compromised Hyper-V, avoid exposing guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a bad request ID that is

[PATCH v9 1/3] Drivers: hv: vmbus: Add vmbus_requestor data structure for VMBus hardening

2020-11-09 Thread Andrea Parri (Microsoft)
a bad request ID that is then treated as the address of a guest data structure with no validation. Instead, encapsulate these memory addresses and provide small integers as request IDs. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft

[PATCH v8 3/3] hv_netvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening

2020-11-04 Thread Andrea Parri (Microsoft)
integers generated by vmbus_requestor as requests (transaction) IDs. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Reviewed-by: Michael Kelley Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org --- d

[PATCH v8 1/3] Drivers: hv: vmbus: Add vmbus_requestor data structure for VMBus hardening

2020-11-04 Thread Andrea Parri (Microsoft)
a bad request ID that is then treated as the address of a guest data structure with no validation. Instead, encapsulate these memory addresses and provide small integers as request IDs. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft

[PATCH v8 2/3] scsi: storvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening

2020-11-04 Thread Andrea Parri (Microsoft)
integers generated by vmbus_requestor as requests (transaction) IDs. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Reviewed-by: Michael Kelley Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-

[PATCH v8 0/3] Drivers: hv: vmbus: vmbus_requestor data structure for VMBus hardening

2020-11-04 Thread Andrea Parri (Microsoft)
Hi all, This is a resubmission of: https://lkml.kernel.org/r/20200907161920.71460-1-parri.and...@gmail.com based on 5.10-rc2. Andrea Cc: James E.J. Bottomley Cc: Martin K. Petersen Cc: "David S. Miller" Cc: Jakub Kicinski Cc: linux-s...@vger.kernel.org Cc: net...@vger.kernel.org

[PATCH v3] hv_netvsc: Add validation for untrusted Hyper-V values

2020-09-16 Thread Andrea Parri (Microsoft)
, or subvert an existing validation via integer overflow. Ensure that outgoing packets do not have any leftover guest memory that has not been zeroed out. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller"

[PATCH v2] hv_netvsc: Add validation for untrusted Hyper-V values

2020-09-10 Thread Andrea Parri (Microsoft)
, or subvert an existing validation via integer overflow. Ensure that outgoing packets do not have any leftover guest memory that has not been zeroed out. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller"

[PATCH] Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer

2020-09-10 Thread Andrea Parri (Microsoft)
validating its length and offset fields in hv_pkt_iter_first(). In this way, the packet can no longer be modified by the host. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc:

[PATCH v3] hv_utils: Add validation for untrusted Hyper-V values

2020-09-10 Thread Andrea Parri (Microsoft)
of the icversion_data array in vmbus_prep_negotiate_resp(). Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) --- Changes in v3: - Add size check for icframe_vercnt and icmsg_vercnt (Saruhan) Changes in v2: - Use ratelimited form of kernel logging

[PATCH v7 3/3] hv_netvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening

2020-09-07 Thread Andrea Parri (Microsoft)
integers generated by vmbus_requestor as requests (transaction) IDs. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Cc: "David S. Miller" Cc: Jakub Kicinski Cc: net...@vger.kernel.org --- Changes in v7:

[PATCH v7 2/3] scsi: storvsc: Use vmbus_requestor to generate transaction IDs for VMBus hardening

2020-09-07 Thread Andrea Parri (Microsoft)
integers generated by vmbus_requestor as requests (transaction) IDs. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft) Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-s...@vger.kernel.o

[PATCH v7 1/3] Drivers: hv: vmbus: Add vmbus_requestor data structure for VMBus hardening

2020-09-07 Thread Andrea Parri (Microsoft)
a bad request ID that is then treated as the address of a guest data structure with no validation. Instead, encapsulate these memory addresses and provide small integers as request IDs. Signed-off-by: Andres Beltran Co-developed-by: Andrea Parri (Microsoft) Signed-off-by: Andrea Parri (Microsoft

[PATCH v7 0/3] Drivers: hv: vmbus: vmbus_requestor data structure for VMBus hardening

2020-09-07 Thread Andrea Parri (Microsoft)
Currently, VMbus drivers use pointers into guest memory as request IDs for interactions with Hyper-V. To be more robust in the face of errors or malicious behavior from a compromised Hyper-V, avoid exposing guest memory addresses to Hyper-V. Also avoid Hyper-V giving back a bad request ID that is

[PATCH 2/8] Drivers: hv: vmbus: Remove the numa_node field from the vmbus_channel struct

2020-06-17 Thread Andrea Parri (Microsoft)
The field is read only in numa_node_show() and it is already stored twice (after a call to cpu_to_node()) in target_cpu_store() and init_vp_index(); there is no need to "cache" its value in the channel data structure. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel_

[PATCH 4/8] Drivers: hv: vmbus: Remove unnecessary channel->lock critical sections (sc_list readers)

2020-06-17 Thread Andrea Parri (Microsoft)
Additions/deletions to/from sc_list (as well as modifications of target_cpu(s)) are protected by channel_mutex, which hv_synic_cleanup() and vmbus_bus_suspend() own for the duration of the channel->lock critical section in question. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/h

[PATCH 8/8] Drivers: hv: vmbus: Remove the lock field from the vmbus_channel struct

2020-06-17 Thread Andrea Parri (Microsoft)
ff-by: Andrea Parri (Microsoft) --- drivers/hv/channel.c | 6 +- drivers/hv/channel_mgmt.c | 1 - include/linux/hyperv.h| 6 -- 3 files changed, 1 insertion(+), 12 deletions(-) diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c index 8848d1548b3f2..3ebda7707e46a 100644 ---

[PATCH 5/8] Drivers: hv: vmbus: Use channel_mutex in channel_vp_mapping_show()

2020-06-17 Thread Andrea Parri (Microsoft)
itical section with a channel_mutex critical section and extend the latter to include the loads of target_cpu; this same pattern is also used in hv_synic_cleanup(). Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/vmbus_drv.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff

[PATCH 6/8] Drivers: hv: vmbus: Remove unnecessary channel->lock critical sections (sc_list updaters)

2020-06-17 Thread Andrea Parri (Microsoft)
None of the readers/updaters of sc_list rely on channel->lock for synchronization. Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/channel_mgmt.c | 25 ++--- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/drivers/hv/channel_mgmt.c b/drivers

[PATCH 7/8] scsi: storvsc: Introduce the per-storvsc_device spinlock

2020-06-17 Thread Andrea Parri (Microsoft)
-specific) stor_chns[] array from the "generic" VMBus code and data structures, clarifying the scope of this synchronization mechanism. Signed-off-by: Andrea Parri (Microsoft) --- drivers/scsi/storvsc_drv.c | 16 +++- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git

[PATCH 0/8] Drivers: hv: vmbus: Miscellaneous cleanups

2020-06-17 Thread Andrea Parri (Microsoft)
nnel->lock, which is actually *removed by the end of this series! ;-) I'm sure there is room for further "cleanups", ;-) but let me check if these (relatively small) changes make sense first... Thanks, Andrea Andrea Parri (Microsoft) (8): Drivers: hv: vmbus: Remove t

[PATCH 3/8] Drivers: hv: vmbus: Replace cpumask_test_cpu(, cpu_online_mask) with cpu_online()

2020-06-17 Thread Andrea Parri (Microsoft)
A slight improvement in readability, and this does also remove one memory access when NR_CPUS == 1! ;-) Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/vmbus_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c index

[PATCH 1/8] Drivers: hv: vmbus: Remove the target_vp field from the vmbus_channel struct

2020-06-17 Thread Andrea Parri (Microsoft)
The field is read only in __vmbus_open() and it is already stored twice (after a call to hv_cpu_number_to_vp_number()) in target_cpu_store() and init_vp_index(); there is no need to "cache" its value in the channel data structure. Suggested-by: Michael Kelley Signed-off-by: An

[RFC PATCH 2/2] Drivers: hv: vmbus: Re-balance channel interrupts across CPUs at device hotplug

2020-05-26 Thread Andrea Parri (Microsoft)
ed to a delayed work, to give channels of such device more chances to be opened. As in vmbus_balance_vp_indexes_at_cpuhp(), the balancing is applied to "performance" channels only, and it relies on the (new) capability to re-assign a channel interrupt. Suggested-by: Nuno Das Neves Signed-o

[RFC PATCH 0/2] VMBus channel interrupts re-balancing

2020-05-26 Thread Andrea Parri (Microsoft)
sibility in such scheme (where devices/channels are mapped only "one at a time"/as they are offered, with the end result that globally the various interrupts are not always evenly spread across CPUs). Andrea Parri (Microsoft) (2): Drivers: hv: vmbus: Re-balance channel interrupts acro

[RFC PATCH 1/2] Drivers: hv: vmbus: Re-balance channel interrupts across CPUs at CPU hotplug

2020-05-26 Thread Andrea Parri (Microsoft)
terrupt to a CPU (cf., the CHANNELMSG_MODIFYCHANNEL message type). As such, the new balancing process is effective starting with VMBus version 4.1 (no changes in semantics or behavior are intended for VMBus versions lower than 4.1). Suggested-by: Nuno Das Neves Signed-off-by: Andrea Parri (Microsoft) --- drivers/hv/

[PATCH] VMBus channel interrupts reassignment - Fixes

2020-05-22 Thread Andrea Parri (Microsoft)
prefer to handle these...) Thanks, Andrea Andrea Parri (Microsoft) (2): Drivers: hv: vmbus: Resolve race between init_vp_index() and CPU hotplug Drivers: hv: vmbus: Resolve more races involving init_vp_index() drivers/hv/channel_mgmt.c | 66

  1   2   >