[0/8] xen: harden frontends against malicious backends

Message ID	20210513100302.22027-1-jgross@suse.com
Headers	show Return-Path: <netdev-owner@kernel.org> From: Juergen Gross <jgross@suse.com> To: xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org, linux-block@vger.kernel.org, netdev@vger.kernel.org, linuxppc-dev@lists.ozlabs.org Cc: Juergen Gross <jgross@suse.com>, Boris Ostrovsky <boris.ostrovsky@oracle.com>, Stefano Stabellini <sstabellini@kernel.org>, Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>, =?utf-8?q?Roger_Pau_M?= =?utf-8?b?b25uw6k=?= <roger.pau@citrix.com>, Jens Axboe <axboe@kernel.dk>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Jiri Slaby <jirislaby@kernel.org> Subject: [PATCH 0/8] xen: harden frontends against malicious backends Date: Thu, 13 May 2021 12:02:54 +0200 Message-Id: <20210513100302.22027-1-jgross@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	xen: harden frontends against malicious backends \| expand [0/8] xen: harden frontends against malicious backends [5/8] xen/netfront: read response from backend only once [6/8] xen/netfront: don't read data from request on the ring page [7/8] xen/netfront: don't trust the backend response data blindly

Message ID

20210513100302.22027-1-jgross@suse.com

Headers

From: Juergen Gross <jgross@suse.com>
To: xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org,
	linux-block@vger.kernel.org, netdev@vger.kernel.org,
	linuxppc-dev@lists.ozlabs.org
Cc: Juergen Gross <jgross@suse.com>, Boris Ostrovsky
	<boris.ostrovsky@oracle.com>, Stefano Stabellini
	<sstabellini@kernel.org>, 
	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>, =?utf-8?q?Roger_Pau_M?=
	=?utf-8?b?b25uw6k=?= <roger.pau@citrix.com>,
	Jens Axboe <axboe@kernel.dk>, "David S. Miller" <davem@davemloft.net>, 
	Jakub Kicinski <kuba@kernel.org>, Greg Kroah-Hartman
	<gregkh@linuxfoundation.org>,         Jiri Slaby <jirislaby@kernel.org>
Subject: [PATCH 0/8] xen: harden frontends against malicious backends
Date: Thu, 13 May 2021 12:02:54 +0200
Message-Id: <20210513100302.22027-1-jgross@suse.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

xen: harden frontends against malicious backends | expand

Message

Jürgen Groß May 13, 2021, 10:02 a.m. UTC

Xen backends of para-virtualized devices can live in dom0 kernel, dom0
user land, or in a driver domain. This means that a backend might
reside in a less trusted environment than the Xen core components, so
a backend should not be able to do harm to a Xen guest (it can still
mess up I/O data, but it shouldn't be able to e.g. crash a guest by
other means or cause a privilege escalation in the guest).

Unfortunately many frontends in the Linux kernel are fully trusting
their respective backends. This series is starting to fix the most
important frontends: console, disk and network.

It was discussed to handle this as a security problem, but the topic
was discussed in public before, so it isn't a real secret.

Juergen Gross (8):
  xen: sync include/xen/interface/io/ring.h with Xen's newest version
  xen/blkfront: read response from backend only once
  xen/blkfront: don't take local copy of a request from the ring page
  xen/blkfront: don't trust the backend response data blindly
  xen/netfront: read response from backend only once
  xen/netfront: don't read data from request on the ring page
  xen/netfront: don't trust the backend response data blindly
  xen/hvc: replace BUG_ON() with negative return value

 drivers/block/xen-blkfront.c    | 118 +++++++++-----
 drivers/net/xen-netfront.c      | 184 ++++++++++++++-------
 drivers/tty/hvc/hvc_xen.c       |  15 +-
 include/xen/interface/io/ring.h | 278 ++++++++++++++++++--------------
 4 files changed, 369 insertions(+), 226 deletions(-)

Comments

Marek Marczykowski-Górecki May 21, 2021, 10:43 a.m. UTC | #1

On Thu, May 13, 2021 at 12:02:54PM +0200, Juergen Gross wrote:
> Xen backends of para-virtualized devices can live in dom0 kernel, dom0

> user land, or in a driver domain. This means that a backend might

> reside in a less trusted environment than the Xen core components, so

> a backend should not be able to do harm to a Xen guest (it can still

> mess up I/O data, but it shouldn't be able to e.g. crash a guest by

> other means or cause a privilege escalation in the guest).

> 

> Unfortunately many frontends in the Linux kernel are fully trusting

> their respective backends. This series is starting to fix the most

> important frontends: console, disk and network.

> 

> It was discussed to handle this as a security problem, but the topic

> was discussed in public before, so it isn't a real secret.


Is it based on patches we ship in Qubes[1] and also I've sent here some
years ago[2]? I see a lot of similarities. If not, you may want to
compare them.

[1] https://github.com/QubesOS/qubes-linux-kernel/
[2] https://lists.xenproject.org/archives/html/xen-devel/2018-04/msg02336.html


> Juergen Gross (8):

>   xen: sync include/xen/interface/io/ring.h with Xen's newest version

>   xen/blkfront: read response from backend only once

>   xen/blkfront: don't take local copy of a request from the ring page

>   xen/blkfront: don't trust the backend response data blindly

>   xen/netfront: read response from backend only once

>   xen/netfront: don't read data from request on the ring page

>   xen/netfront: don't trust the backend response data blindly

>   xen/hvc: replace BUG_ON() with negative return value

> 

>  drivers/block/xen-blkfront.c    | 118 +++++++++-----

>  drivers/net/xen-netfront.c      | 184 ++++++++++++++-------

>  drivers/tty/hvc/hvc_xen.c       |  15 +-

>  include/xen/interface/io/ring.h | 278 ++++++++++++++++++--------------

>  4 files changed, 369 insertions(+), 226 deletions(-)

> 

> -- 

> 2.26.2

> 

> 


-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab