| Message ID | 20211122093036.285952-1-mst@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | f7a36b03a7320d1a3ba52f9305571eddad325a05 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | vsock/virtio: suppress used length validation | expand |
On Mon, Nov 22, 2021 at 04:32:01AM -0500, Michael S. Tsirkin wrote: >It turns out that vhost vsock violates the virtio spec >by supplying the out buffer length in the used length >(should just be the in length). >As a result, attempts to validate the used length fail with: >vmw_vsock_virtio_transport virtio1: tx: used len 44 is larger than in buflen 0 > >Since vsock driver does not use the length fox tx and >validates the length before use for rx, it is safe to >suppress the validation in virtio core for this driver. > >Reported-by: Halil Pasic <pasic@linux.ibm.com> >Fixes: 939779f5152d ("virtio_ring: validate used buffer length") >Cc: "Jason Wang" <jasowang@redhat.com> >Signed-off-by: Michael S. Tsirkin <mst@redhat.com> >--- > net/vmw_vsock/virtio_transport.c | 1 + > 1 file changed, 1 insertion(+) Thanks for this fix Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> I think we should also fix vhost-vsock violation (in stable branches too). @Halil do you plan to send a fix? Otherwise I can do it ;-) Thanks, Stefano
On Mon, Nov 22, 2021 at 04:32:01AM -0500, Michael S. Tsirkin wrote: > It turns out that vhost vsock violates the virtio spec > by supplying the out buffer length in the used length > (should just be the in length). > As a result, attempts to validate the used length fail with: > vmw_vsock_virtio_transport virtio1: tx: used len 44 is larger than in buflen 0 > > Since vsock driver does not use the length fox tx and > validates the length before use for rx, it is safe to > suppress the validation in virtio core for this driver. > > Reported-by: Halil Pasic <pasic@linux.ibm.com> > Fixes: 939779f5152d ("virtio_ring: validate used buffer length") > Cc: "Jason Wang" <jasowang@redhat.com> > Signed-off-by: Michael S. Tsirkin <mst@redhat.com> > --- > net/vmw_vsock/virtio_transport.c | 1 + > 1 file changed, 1 insertion(+) Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index 4f7c99dfd16c..3f82b2f1e6dd 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -731,6 +731,7 @@ static unsigned int features[] = { static struct virtio_driver virtio_vsock_driver = { .feature_table = features, .feature_table_size = ARRAY_SIZE(features), + .suppress_used_validation = true, .driver.name = KBUILD_MODNAME, .driver.owner = THIS_MODULE, .id_table = id_table,
It turns out that vhost vsock violates the virtio spec by supplying the out buffer length in the used length (should just be the in length). As a result, attempts to validate the used length fail with: vmw_vsock_virtio_transport virtio1: tx: used len 44 is larger than in buflen 0 Since vsock driver does not use the length fox tx and validates the length before use for rx, it is safe to suppress the validation in virtio core for this driver. Reported-by: Halil Pasic <pasic@linux.ibm.com> Fixes: 939779f5152d ("virtio_ring: validate used buffer length") Cc: "Jason Wang" <jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> --- net/vmw_vsock/virtio_transport.c | 1 + 1 file changed, 1 insertion(+)