vhost: block speculation of translated descriptors

iovec addresses coming from vhost are assumed to be
pre-validated, but in fact can be speculated to a value
out of range.

Userspace address are later validated with array_index_nospec so we can
be sure kernel info does not leak through these addresses, but vhost
must also not leak userspace info outside the allowed memory table to
guests.

Following the defence in depth principle, make sure
the address is not validated out of node range.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Acked-by: Jason Wang <jasowang@redhat.com>
Tested-by: Jason Wang <jasowang@redhat.com>

diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index 5dc174ac8cacdebbc26801aff68bd6e27a479c93..34ea219936e3f369ff77c52f073d9d6a1c051128 100644 (file)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2071,8 +2071,10 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len,
                _iov = iov + ret;
                size = node->size - addr + node->start;
                _iov->iov_len = min((u64)len - s, size);
-               _iov->iov_base = (void __user *)(unsigned long)
-                       (node->userspace_addr + addr - node->start);
+               _iov->iov_base = (void __user *)
+                       ((unsigned long)node->userspace_addr +
+                        array_index_nospec((unsigned long)(addr - node->start),
+                                           node->size));
                s += size;
                addr += size;
                ++ret;