[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 4/4] xen/netfront: don't trust the backend response data blindly

  • To: Juergen Gross <jgross@xxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 24 Aug 2021 17:31:35 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SBgygmfNCgF/hbTlSpP4QhROisBR3Nmc6XYtY6xdQdc=; b=OCMseRA4tP33hHBlTpW26E/sbt/GBgYGGvyai1gajdqex1XH+Me1lTwNVP3EK7FktqcTb0gWy62tKK6JTf5J2Rm+R4T1EmneQDrT+DcEHIvb2fxI9/rdA9BTwWNPWOrBb/uKhu8H2hDV5vzEF9K3Tt/X3TLLPWV82Y9jmAHhCkR5zgaPWfQUzZWFSkbQeZbM89grw7HxXdUeL94qO7maehqipLNr8wVxE2DdMpgjhnUhPm1J1ULwITPHwocgg5YY20lH2tU0DOREO/4EzUSWBSZ/kuvBaQfWIg0/hx5t6FnSBODcIhQ3XzxRn66MVy4N7/5SxbX+6Nn6HEv2zqIvow==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O0D4Klde9QS0vm2MUA05VzhySDZNTXxEBYo7NAVupZDNY0E6C0b81bX83VeVxjEugH3X8bcZdJdjoU81e8SfIesOldIdu/hIrBm513b147ZC5mKJN/D3aFd6/TufdY8BCQlK24UAfvzARqthpp600A13mtghjU+DRe6pwBTyUeZlCRnLFMeU9a0S4rn943G6r/e/HXGCCkYbf4/B0bjbQVHFeV7rNZX/Axbk+R45n1fMmAN47POcnUEHwAzroQMHrYLxO9RO5A2d9Kk93ipdMR83/yTyw4BElcoqhhbIpRR8GmCYj7Sf01rxIpbPa6jlGpwUYS2dhPLIX3BzqL7tGQ==
  • Authentication-results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=suse.com;
  • Cc: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Jakub Kicinski <kuba@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
  • Delivery-date: Tue, 24 Aug 2021 15:31:47 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 24.08.2021 12:28, Juergen Gross wrote:
> Today netfront will trust the backend to send only sane response data.
> In order to avoid privilege escalations or crashes in case of malicious
> backends verify the data to be within expected limits. Especially make
> sure that the response always references an outstanding request.
> Note that only the tx queue needs special id handling, as for the rx
> queue the id is equal to the index in the ring page.
> Introduce a new indicator for the device whether it is broken and let
> the device stop working when it is set. Set this indicator in case the
> backend sets any weird data.
> Signed-off-by: Juergen Gross <jgross@xxxxxxxx>

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
with a small suggestion:

> V2:
> - set the pending flag only just before sending the request (Jan Beulich)
> - reset broken indicator during connect (Jan Beulich)

With this latter adjustment, would it make sense to ...

> @@ -416,6 +440,12 @@ static void xennet_tx_buf_gc(struct netfront_queue 
> *queue)
>       } while (more_to_do);
>       xennet_maybe_wake_tx(queue);
> +
> +     return;
> +
> + err:
> +     queue->info->broken = true;
> +     dev_alert(dev, "Disabled for further use\n");

... hint at that behavior here, e.g. by adding "(until reconnect)"?
That way an admin observing this log message will have an immediate
hint at how to get the interface to work again (if so desired).




Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.