[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 4/4] xen/scsifront: harden driver against malicious backend


  • To: Juergen Gross <jgross@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-scsi@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
  • From: Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>
  • Date: Wed, 20 Apr 2022 12:13:50 -0400
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ooB2RxGWxeLyDbDD9GGB2TVmqG6+Hn1n/fSj2kAWyzo=; b=Noq3Ic9PSdUJCtLKrNs3ALx2uCOxFP+cU9oNUgjrRKtHy48J32e0kHSgaq5BCG7hcoxah8MMt5IcktE3FhFgpVY1fe0EspTbfC5Nhwqn4720aV13NTkPg2GuYm2YkNu9IuSuu/J6+8a7x+0pUVv/C7PYlbHXz3lz61+oIdaqtqCO2DDdpRnQMpBkiY52eEQw4FmDNLZYrUWCphvrgK2FNu1WoF4eMQ1t7u3jBrUgsxAhzeyh5RQeH7jVUOUp9N45knW3uUg6DykkYHYOydwUt7YI0uSP0Rxo3DBtPy35RevsHEP4TZrtBtqjqljz9Or+YdIndIF+KlwiurXgTSqvFQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=D3D0nmy1RSKDalm8Wddrwu2EABiHObKIMhJCFvH/vPvkrSswH2MbyhdDvAxc3YwXw31TCQKLnnwu72B6BH+4/VdOYwUnbax3Zht7AYACbL8e181w630G4GsUapfMW1P7AbCQ1TiZwexD2WsYWUuK2YSz3IjCF6WyngN1uogqiejMascLOk3h4Zy91Vm3n290exTQmbe43OWLPIksQnaGbk/RALKj6mJemDnDiDTEXjy+EzH/XlMbshpvWFUQMSizu6Y7wZNbUO/mSDirQsx7pie+nXl5IGXsM0EOMRVr0rQgCG484FM9mWOVi0kSCK0/lyypnCuA4AcLuV1WMolCZw==
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, "James E.J. Bottomley" <jejb@xxxxxxxxxxxxx>, "Martin K. Petersen" <martin.petersen@xxxxxxxxxx>
  • Delivery-date: Wed, 20 Apr 2022 16:14:07 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Just a couple of nits.


On 4/20/22 5:25 AM, Juergen Gross wrote:
-static int scsifront_ring_drain(struct vscsifrnt_info *info)
+static int scsifront_ring_drain(struct vscsifrnt_info *info,
+                               unsigned int *eoiflag)
  {
-       struct vscsiif_response *ring_rsp;
+       struct vscsiif_response ring_rsp;
        RING_IDX i, rp;
        int more_to_do = 0;
- rp = info->ring.sring->rsp_prod;
-       rmb();  /* ordering required respective to dom0 */
+       rp = READ_ONCE(info->ring.sring->rsp_prod);
+       virt_rmb();     /* ordering required respective to backend */
+       if (RING_RESPONSE_PROD_OVERFLOW(&info->ring, rp)) {
+               scsifront_set_error(info, "illegal number of responses");


In net and block drivers we report number of such responses. (But not in usb)


+               return 0;
+       }
        for (i = info->ring.rsp_cons; i != rp; i++) {
-               ring_rsp = RING_GET_RESPONSE(&info->ring, i);
-               scsifront_do_response(info, ring_rsp);
+               RING_COPY_RESPONSE(&info->ring, i, &ring_rsp);
+               scsifront_do_response(info, &ring_rsp);
+               if (info->host_active == STATE_ERROR)
+                       return 0;
+               *eoiflag = 0;


*eoiflags &= ~XEN_EOI_FLAG_SPURIOUS; ?


We also use eoi_flags name in other instances in this file.


-boris



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.