]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 42d552e) | patch
vhost: block speculation of translated descriptors
authorMichael S. Tsirkin <mst@redhat.com>
Sun, 8 Sep 2019 11:04:08 +0000 (07:04 -0400)
committerMichael S. Tsirkin <mst@redhat.com>
Wed, 11 Sep 2019 19:15:07 +0000 (15:15 -0400)
commit5d9c46f7942cfe2835650f7f9e014f63aee7d0de
tree83af9e5972b7bc3aef8f075fe6be4022b75c4d54tree | snapshot
parent42d552e13d9645d0007a1a1f9a5f40082a1c61a3commit | diff
vhost: block speculation of translated descriptors

iovec addresses coming from vhost are assumed to be
pre-validated, but in fact can be speculated to a value
out of range.

Userspace address are later validated with array_index_nospec so we can
be sure kernel info does not leak through these addresses, but vhost
must also not leak userspace info outside the allowed memory table to
guests.

Following the defence in depth principle, make sure
the address is not validated out of node range.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Acked-by: Jason Wang <jasowang@redhat.com>
Tested-by: Jason Wang <jasowang@redhat.com>
drivers/vhost/vhost.c diff | blob | history
Linux Kernel Source Tree.