Message ID | 20210730103854.12681-1-jgross@suse.com (mailing list archive) |
---|---|
Headers | show |
Series | xen: harden blkfront against malicious backends | expand |
On 30.07.21 12:38, Juergen Gross wrote: > Xen backends of para-virtualized devices can live in dom0 kernel, dom0 > user land, or in a driver domain. This means that a backend might > reside in a less trusted environment than the Xen core components, so > a backend should not be able to do harm to a Xen guest (it can still > mess up I/O data, but it shouldn't be able to e.g. crash a guest by > other means or cause a privilege escalation in the guest). > > Unfortunately blkfront in the Linux kernel is fully trusting its > backend. This series is fixing blkfront in this regard. > > It was discussed to handle this as a security problem, but the topic > was discussed in public before, so it isn't a real secret. > > It should be mentioned that a similar series has been posted some years > ago by Marek Marczykowski-Górecki, but this series has not been applied > due to a Xen header not having been available in the Xen git repo at > that time. Additionally my series is fixing some more DoS cases. > > Changes in V3: > - patch 3: insert missing unlock in error case (kernel test robot) > - patch 3: use %#x as format for printing wrong operation value > (Roger Pau Monné) > > Changes in V2: > - put blkfront patches into own series > - some minor comments addressed > > Juergen Gross (3): > xen/blkfront: read response from backend only once > xen/blkfront: don't take local copy of a request from the ring page > xen/blkfront: don't trust the backend response data blindly > > drivers/block/xen-blkfront.c | 126 +++++++++++++++++++++++------------ > 1 file changed, 84 insertions(+), 42 deletions(-) > Series pushed to xen/tip.git for-linus-5.15 Juergen