summaryrefslogtreecommitdiffstats
path: root/net/vmw_vsock
diff options
context:
space:
mode:
authorAndres Beltran <lkmlabelt@gmail.com>2021-04-08 18:14:39 +0200
committerWei Liu <wei.liu@kernel.org>2021-05-14 19:37:46 +0200
commitadae1e931acd8b430d31141a283ea06d4b705417 (patch)
tree70799e7f212ce0f991b0a675625391b8adf606f3 /net/vmw_vsock
parenthv_balloon: Remove redundant assignment to region_start (diff)
downloadlinux-adae1e931acd8b430d31141a283ea06d4b705417.tar.xz
linux-adae1e931acd8b430d31141a283ea06d4b705417.zip
Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer
Pointers to ring-buffer packets sent by Hyper-V are used within the guest VM. Hyper-V can send packets with erroneous values or modify packet fields after they are processed by the guest. To defend against these scenarios, return a copy of the incoming VMBus packet after validating its length and offset fields in hv_pkt_iter_first(). In this way, the packet can no longer be modified by the host. Signed-off-by: Andres Beltran <lkmlabelt@gmail.com> Co-developed-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com> Signed-off-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com> Reviewed-by: Michael Kelley <mikelley@microsoft.com> Link: https://lore.kernel.org/r/20210408161439.341988-1-parri.andrea@gmail.com Signed-off-by: Wei Liu <wei.liu@kernel.org>
Diffstat (limited to 'net/vmw_vsock')
-rw-r--r--net/vmw_vsock/hyperv_transport.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index cc3bae2659e7..19189cf30a72 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -596,7 +596,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk, struct msghdr *msg,
return -EOPNOTSUPP;
if (need_refill) {
- hvs->recv_desc = hv_pkt_iter_first(hvs->chan);
+ hvs->recv_desc = hv_pkt_iter_first_raw(hvs->chan);
ret = hvs_update_recv_data(hvs);
if (ret)
return ret;
@@ -610,7 +610,7 @@ static ssize_t hvs_stream_dequeue(struct vsock_sock *vsk, struct msghdr *msg,
hvs->recv_data_len -= to_read;
if (hvs->recv_data_len == 0) {
- hvs->recv_desc = hv_pkt_iter_next(hvs->chan, hvs->recv_desc);
+ hvs->recv_desc = hv_pkt_iter_next_raw(hvs->chan, hvs->recv_desc);
if (hvs->recv_desc) {
ret = hvs_update_recv_data(hvs);
if (ret)