From patchwork Tue Aug 1 21:54:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 708759 Delivered-To: patch@linaro.org Received: by 2002:a5d:55c5:0:b0:317:2194:b2bc with SMTP id i5csp575437wrw; Tue, 1 Aug 2023 14:56:42 -0700 (PDT) X-Google-Smtp-Source: APBJJlFf7RciZ3rfeAuky/k15kr6CRA9keY296XZwL0MJPDDDVgIb6J2J63YkaEbWvzi2e/gvaJf X-Received: by 2002:a05:622a:3:b0:405:42e9:8a8e with SMTP id x3-20020a05622a000300b0040542e98a8emr19110113qtw.57.1690927002107; Tue, 01 Aug 2023 14:56:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690927002; cv=none; d=google.com; s=arc-20160816; b=NjgRklnEdw26dzb0iMso9AJGb5ZDSjLdbaBQp0v51PQFW3NxhqjkdNlzfi0M6WJfFC i5t9x0WQ7GGUetbfZwDRF3pf0N87p3lpx/WewkhzHKypPTILXb5QZGc5nnZjZsyyLk7i YJzW/3H0RKXXZd8CNIepzzVXLEmL/s6TZ3gUpgLIAbm+T2RgveMeQ/WAgZZBJM5Qivr5 WvGLlBXtFBoamSLE7uF7YF7hflPkODgVEcYcg9NjTiUT2qLXTLd6UoOOzLOjejumOp1J EqIC9dqOO0eYFc7yGHU9TvrpWB6bioxtWLkeGJ+38K4/1aqj+dIxqXicucyBq+WwpyZ/ ybLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=t+Ia2IW7W0o2NfDvv7wb0werH1oj3pCGRYKiA4thOho=; fh=PWUNcOiwsmJ8+T8xPP0M9o6ssEhpUFLiCHFrXcUp5hw=; b=L+q6KGtHyWXeWjE0Aq3ohXJu/GRWVOKfAroVhmtSg5w7JAmP4f4jxwumTz9OByS6OD di/FnfWY2K+2MZTcs/NWJeQbFvGZNbZD5Rm6udlTnr04gMa5RR/SiiHBPs/TmRnFkTMz wz5pMchxLCketGOiudvxlZU3vYZ1YeXUg7Zwc3uZctpeGYKnNwQW2M1ykDrUHA77YI55 070s7UxW+ViYpHU1szaQWtwMQK9BhTWbQxFEtoOdiTCooVnYy9P6GtFCAss50qE238Cg 7ei82Yxx4J9Y+sdf6mfAHcafng21Bpl90W2VCS01AZeKzeqoVFiQ1K8x/x/biQ6GUY4z CayA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="mjl49F/d"; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id c16-20020a05622a025000b0040fd02240basi2103516qtx.639.2023.08.01.14.56.41 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 01 Aug 2023 14:56:42 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="mjl49F/d"; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qQxKK-0003s6-Iy; Tue, 01 Aug 2023 17:54:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQxKJ-0003rj-GU for qemu-devel@nongnu.org; Tue, 01 Aug 2023 17:54:47 -0400 Received: from mail-wr1-x433.google.com ([2a00:1450:4864:20::433]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qQxKH-0004nM-E1 for qemu-devel@nongnu.org; Tue, 01 Aug 2023 17:54:46 -0400 Received: by mail-wr1-x433.google.com with SMTP id ffacd0b85a97d-316feb137a7so6290440f8f.1 for ; Tue, 01 Aug 2023 14:54:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1690926884; x=1691531684; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=t+Ia2IW7W0o2NfDvv7wb0werH1oj3pCGRYKiA4thOho=; b=mjl49F/dE4gTtMfYJljruuqsJE3gVhRP6+acpgpCEERYeJyuBI5zOHIjdYseaLdmft WJuXvtjyNjaJJukwF+TL2Q79rSHb/QGEAo9RweH3AmGpVocyLzqq2Oyy5/tVJp/Rf84s vOGm8HMb2XKFHr56z5K7WZ5dzgIvz48bZFyCaVmmOOGhsy4Q+4uWqzSJ4hGvU7yWHrBM jbq8bE5k2D1BvGwPqDz2/u17nTBpZOIgYB4F1ElS6QQbLnurV7xD1J8ZqYBH06v5hW9q ywMUHxhGc3DoztPwk5oUYIFx0aSpU7XeHiTqIhzFPbDmVA0nOvlM/O1XydU6b4dkRSTC focg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690926884; x=1691531684; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t+Ia2IW7W0o2NfDvv7wb0werH1oj3pCGRYKiA4thOho=; b=UcrElQt21Stk17E/hqH0AN78MXncvVL9YUDhEht8MOtYWgsI1Hyw5VidtypKBEcg6U 3S8RXqkJlxg99EBZIy12K6thibDxUMbfPtDo3GWdmca2YaDsMNdYjopMDG3zUAE4gmGn KpVVOV1K/d26SxSLHPwjhyT4Z9SJOF7tz3xg+/46hZ62QBelj3jMENlMf5kM7y0Gz8ET 8vlDaoldKc944frh/rRv3Kic9zOYINdu+fqWRnpzGDtIrguNpqJSNoxg9T4nVLTRdxcP ladvHN5VHTD2yQ5A++ns5GXZDH6Wu8l7yjHY/zM2CRitncpgsdNPySFaPuh+N/iZ8a1Z HOAg== X-Gm-Message-State: ABy/qLZhGO1PYedurjPWT+koF5Jps/9EhvjGh7/Q3oMv/FLvX2keDMIl nz9zVbSKTdbVJT91ZhM6SuDFn86MZY/16YsWgnU= X-Received: by 2002:adf:d4cc:0:b0:317:6513:da7c with SMTP id w12-20020adfd4cc000000b003176513da7cmr3119817wrk.18.1690926883691; Tue, 01 Aug 2023 14:54:43 -0700 (PDT) Received: from localhost.localdomain ([176.176.174.59]) by smtp.gmail.com with ESMTPSA id bf10-20020a0560001cca00b0031432f1528csm17143007wrb.45.2023.08.01.14.54.42 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Tue, 01 Aug 2023 14:54:43 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Cc: qemu-block@nongnu.org, qemu-s390x@nongnu.org, David Woodhouse , Paul Durrant , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Subject: [PULL 03/10] hw/xen: prevent guest from binding loopback event channel to itself Date: Tue, 1 Aug 2023 23:54:14 +0200 Message-Id: <20230801215421.60133-4-philmd@linaro.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20230801215421.60133-1-philmd@linaro.org> References: <20230801215421.60133-1-philmd@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::433; envelope-from=philmd@linaro.org; helo=mail-wr1-x433.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org From: David Woodhouse Fuzzing showed that a guest could bind an interdomain port to itself, by guessing the next port to be allocated and putting that as the 'remote' port number. By chance, that works because the newly-allocated port has type EVTCHNSTAT_unbound. It shouldn't. Signed-off-by: David Woodhouse Reviewed-by: Paul Durrant Message-Id: <20230801175747.145906-4-dwmw2@infradead.org> Signed-off-by: Philippe Mathieu-Daudé --- hw/i386/kvm/xen_evtchn.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c index 0e9c108614..a731738411 100644 --- a/hw/i386/kvm/xen_evtchn.c +++ b/hw/i386/kvm/xen_evtchn.c @@ -1408,8 +1408,15 @@ int xen_evtchn_bind_interdomain_op(struct evtchn_bind_interdomain *interdomain) XenEvtchnPort *rp = &s->port_table[interdomain->remote_port]; XenEvtchnPort *lp = &s->port_table[interdomain->local_port]; - if (rp->type == EVTCHNSTAT_unbound && rp->type_val == 0) { - /* It's a match! */ + /* + * The 'remote' port for loopback must be an unbound port allocated for + * communication with the local domain (as indicated by rp->type_val + * being zero, not PORT_INFO_TYPEVAL_REMOTE_QEMU), and must *not* be + * the port that was just allocated for the local end. + */ + if (interdomain->local_port != interdomain->remote_port && + rp->type == EVTCHNSTAT_unbound && rp->type_val == 0) { + rp->type = EVTCHNSTAT_interdomain; rp->type_val = interdomain->local_port;