From: Michael S. Tsirkin Date: Sun, 8 Sep 2019 11:04:08 +0000 (-0400) Subject: vhost: block speculation of translated descriptors X-Git-Tag: v5.15~5582^2~2 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a89db445fbd7f1f8457b03759aa7343fa530ef6b;p=platform%2Fkernel%2Flinux-starfive.git vhost: block speculation of translated descriptors iovec addresses coming from vhost are assumed to be pre-validated, but in fact can be speculated to a value out of range. Userspace address are later validated with array_index_nospec so we can be sure kernel info does not leak through these addresses, but vhost must also not leak userspace info outside the allowed memory table to guests. Following the defence in depth principle, make sure the address is not validated out of node range. Signed-off-by: Michael S. Tsirkin Cc: stable@vger.kernel.org Acked-by: Jason Wang Tested-by: Jason Wang --- diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 5dc174a..34ea219 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len, _iov = iov + ret; size = node->size - addr + node->start; _iov->iov_len = min((u64)len - s, size); - _iov->iov_base = (void __user *)(unsigned long) - (node->userspace_addr + addr - node->start); + _iov->iov_base = (void __user *) + ((unsigned long)node->userspace_addr + + array_index_nospec((unsigned long)(addr - node->start), + node->size)); s += size; addr += size; ++ret;