[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 3/3] xen/blkfront: don't trust the backend response data blindly


  • To: Juergen Gross <jgross@xxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 8 Jul 2021 15:11:06 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dApYUv0qBUWG/wRh9snu9rIDXsxOLh5oXW2J0EqkRjU=; b=VAdiMJmCCnkHquSE7nCNKxGliAxuVRHKEHKT11p5bVn2xgqH4N/LqJtEDZeDgu/H6Zb6uOWhuYl+I9NGhM0XBMpHSF/WcCncMuT6CDYDiunbP3Ww98QghFaoUsZZlfddIf+OxfBl+h3fHQLWLwAP9tik36vCfLozzFSuuTARH74GmErqSzBHFd899+WNWsyd/UqH6txXatl6Z0IIaLW8i7KjejDh9GyGbKXq6AT5WBxkUnsfTStdvu1qcRh5rsACLAp1Ay7ZZVM8BoTErPXY1CrIOg2FbiRJ7sSc0r17Zp2piXt14tQahonZz/FJQQbufDHnu9YhJ6mK9ouJcAw/xw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MLk6rZXViFu7Y2TOTHEwfy+5qhcjUEiTjSi6kMpRGeXLTbX3cociKgiFbMBooAUrovV3rDjELkIC/xFLAivmxSI/7lEPP+ksRSarbKcIm68kBgOyjE/b2YRfIISMEB1+lE4PEfpF5omiGQQK8c8YF9Wb+8AWhcinwjQwlYQHJWxx/r6ZnVjjdHag26Sh/lMpr8oak2Z0htwisXLvRKo8S2kU/ij6nZ2nI8HAflZ9UTpf7XU5jWbAzraMs/IcvlXhZMVMP4bUgwJyq5tHK0hHDEGJ6ztg3dNRvQ9+HYT90fh+EYuBYxpDtZmRqcHThU2bsthHu+O5fgH7h7Crq7javQ==
  • Authentication-results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=suse.com;
  • Cc: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Jens Axboe <axboe@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-block@xxxxxxxxxxxxxxx
  • Delivery-date: Thu, 08 Jul 2021 13:11:19 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 08.07.2021 14:43, Juergen Gross wrote:
> Today blkfront will trust the backend to send only sane response data.
> In order to avoid privilege escalations or crashes in case of malicious
> backends verify the data to be within expected limits. Especially make
> sure that the response always references an outstanding request.
> 
> Introduce a new state of the ring BLKIF_STATE_ERROR which will be
> switched to in case an inconsistency is being detected. Recovering from
> this state is possible only via removing and adding the virtual device
> again (e.g. via a suspend/resume cycle).
> 
> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
albeit ...

> @@ -1602,7 +1628,8 @@ static irqreturn_t blkif_interrupt(int irq, void 
> *dev_id)
>               case BLKIF_OP_DISCARD:
>                       if (unlikely(bret.status == BLKIF_RSP_EOPNOTSUPP)) {
>                               struct request_queue *rq = info->rq;
> -                             printk(KERN_WARNING "blkfront: %s: %s op 
> failed\n",
> +
> +                             pr_warn_ratelimited("blkfront: %s: %s op 
> failed\n",
>                                          info->gd->disk_name, 
> op_name(bret.operation));
>                               blkif_req(req)->error = BLK_STS_NOTSUPP;
>                               info->feature_discard = 0;
> @@ -1614,13 +1641,13 @@ static irqreturn_t blkif_interrupt(int irq, void 
> *dev_id)
>               case BLKIF_OP_FLUSH_DISKCACHE:
>               case BLKIF_OP_WRITE_BARRIER:
>                       if (unlikely(bret.status == BLKIF_RSP_EOPNOTSUPP)) {
> -                             printk(KERN_WARNING "blkfront: %s: %s op 
> failed\n",
> +                             pr_warn_ratelimited("blkfront: %s: %s op 
> failed\n",
>                                      info->gd->disk_name, 
> op_name(bret.operation));
>                               blkif_req(req)->error = BLK_STS_NOTSUPP;
>                       }
>                       if (unlikely(bret.status == BLKIF_RSP_ERROR &&
>                                    rinfo->shadow[id].req.u.rw.nr_segments == 
> 0)) {
> -                             printk(KERN_WARNING "blkfront: %s: empty %s op 
> failed\n",
> +                             pr_warn_ratelimited("blkfront: %s: empty %s op 
> failed\n",
>                                      info->gd->disk_name, 
> op_name(bret.operation));
>                               blkif_req(req)->error = BLK_STS_NOTSUPP;
>                       }
> @@ -1635,8 +1662,8 @@ static irqreturn_t blkif_interrupt(int irq, void 
> *dev_id)
>               case BLKIF_OP_READ:
>               case BLKIF_OP_WRITE:
>                       if (unlikely(bret.status != BLKIF_RSP_OKAY))
> -                             dev_dbg(&info->xbdev->dev, "Bad return from 
> blkdev data "
> -                                     "request: %x\n", bret.status);
> +                             dev_dbg_ratelimited(&info->xbdev->dev,
> +                                     "Bad return from blkdev data request: 
> %x\n", bret.status);
>  
>                       break;
>               default:

... all of these look kind of unrelated to the topic of the patch,
and the conversion also isn't mentioned as on-purpose in the
description.

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.