RE: [PATCH v2] scsi: storvsc: Fix validation for unsolicited incoming packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Andrea Parri <parri.andrea@xxxxxxxxx> Sent: Wednesday, October 6, 2021 9:18 AM
> > > @@ -1302,13 +1306,25 @@ static void storvsc_on_channel_callback(void *context)
> > >  			if (rqst_id == 0) {
> > >  				/*
> > >  				 * storvsc_on_receive() looks at the vstor_packet in the message
> > > -				 * from the ring buffer.  If the operation in the vstor_packet is
> > > -				 * COMPLETE_IO, then we call storvsc_on_io_completion(), and
> > > -				 * dereference the guest memory address.  Make sure we don't call
> > > -				 * storvsc_on_io_completion() with a guest memory address that is
> > > -				 * zero if Hyper-V were to construct and send such a bogus packet.
> > > +				 * from the ring buffer.
> > > +				 *
> > > +				 * - If the operation in the vstor_packet is COMPLETE_IO, then
> > > +				 *   we call storvsc_on_io_completion(), and dereference the
> > > +				 *   guest memory address.  Make sure we don't call
> > > +				 *   storvsc_on_io_completion() with a guest memory address
> > > +				 *   that is zero if Hyper-V were to construct and send such
> > > +				 *   a bogus packet.
> > > +				 *
> > > +				 * - If the operation in the vstor_packet is FCHBA_DATA, then
> > > +				 *   we call cache_wwn(), and access the data payload area of
> > > +				 *   the packet (wwn_packet); however, there is no guarantee
> > > +				 *   that the packet is big enough to contain such area.
> > > +				 *   Future-proof the code by rejecting such a bogus packet.
> >
> > The comments look good to me.
> >
> > > +				 *
> > > +				 * XXX.  Filter out all "invalid" operations.
> >
> > Is this a leftover comment line that should be deleted?  I'm not sure about the "XXX".
> 
> That was/is intended as a "TODO".  What I think we are missing here is a
> specification/authority stating "allowed vstor_operation for unsolicited
> messages are: ENUMERATE_BUS, REMOVE_DEVICE, etc.".  If we wanted to make
> this code even more "future-proof"/"robust", we would reject all packets
> whose "operation" doesn't match that list (independently from the actual
> form/implementation of storvsc_on_receive()...).  We are not quite there
> tough AFAICT.
> 

Hmmm.  I think maybe we *are* there. :-)   If we get a packet with rqst_id
of zero and a vstor operation other than COMPLETE_IO or FCHBA_DATA,
then storvsc_on_receive() will be called.  The vstor operation will be
checked there, and anything not listed in the switch statement is silently
ignored, which I think is good enough.  We could output a message
in the "default" leg of the switch statement, but it's kind of a shrug for me.

Michael

> 
> > >  				 */
> > > -				if (packet->operation == VSTOR_OPERATION_COMPLETE_IO) {
> > > +				if (packet->operation == VSTOR_OPERATION_COMPLETE_IO ||
> > > +				    packet->operation == VSTOR_OPERATION_FCHBA_DATA) {
> > >  					dev_err(&device->device, "Invalid packet with ID of 0\n");
> > >  					continue;
> > >  				}
> > > --
> > > 2.25.1
> >
> > Other than the seemingly spurious comment line,
> >
> > Reviewed-by: Michael Kelley <mikelley@xxxxxxxxxxxxx>
> 
> I wanted to make sure that we're on the same page: I could either expand
> or just remove that comment line; no strong opinion.  Please let me know
> what is your/reviewers' preference.
> 
> Thanks,
>   Andrea




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux