mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
From: Carlos Bilbao <carlos.bilbao.osdev@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
	"David Hildenbrand (Arm)" <david@kernel.org>,
	"Hari Mishal" <harimishal1@gmail.com>,
	"Jason Wang" <jasowangio@gmail.com>,
	"Xuan Zhuo" <xuanzhuo@linux.alibaba.com>,
	"Eugenio Pérez" <eperezma@redhat.com>,
	virtualization@lists.linux.dev, linux-kernel@vger.kernel.org,
	elena.reshetova@intel.com, huster@cs.uni-goettingen.de,
	mhollick@seemoo.de, jiska.classen@hpi.de
Subject: Re: [PATCH v2 1/4] virtio-mem: validate device-reported block size
Date: Sat, 18 Jul 2026 10:07:30 -0700	[thread overview]
Message-ID: <ae5bc86b-cb8d-4530-9e58-d285007deac0@gmail.com> (raw)
In-Reply-To: <2026071803-passage-dares-8240@gregkh>

On 7/17/26 22:29, Greg Kroah-Hartman wrote:

> On Fri, Jul 17, 2026 at 08:31:09PM -0700, Carlos Bilbao wrote:
>> Historically, one of the biggest criticisms of coco, especially around
>> device hardening, was that there were too many values that a
>> malicious/buggy device could misreport, making it a losing battle. That is
>> no longer the case with LLMs, and we have the advantage (and challenge) of
>> open-source dev, which allows us to receive many of these fixes "for free".
>> If others want to burn their tokens, let them :)
> I have lots of tokens to burn :)
>
> So along those lines, any suggestions on how best to fuzz these code
> paths?  Any workloads you all use for testing that I can take advantage
> of?


We've the virtio-mem config struct layout and the kernel source, so for
obvious fixes like a NULL check, static analysis is better than fuzzing.
Claude took a few mins to find me two examples:

Patch 1: virtio-mem: reject non-power-of-two device_block_size
This one is for virtio_mem_init() to check if
!is_power_of_2(vm->device_block_size)

Patch 2: virto-mem: validate region_size and usable_region_size
THis one checks region_size != 0 and vm->usable_reion_size >
vm->region_size.

An endless factory of "silly" checks like these are low hanging fruit.

Now, for harder bugs, looking around for fuzz options, VirtFuzz [1] looks
like a great candidate for those interested in pursuing this direction.


Their PoC fuzzes wireless/Bluetooth stack, but nothing our AI overlords
can't quickly adapt for virtio-mem and other virtio drivers; the JSON
definition to describe device behavior is easily extensible. Their threat
model [2] describes an external attacker, but in the context of coco, the
virtio device itself is the attacker. Here's a vibe coded PR of what I mean:

https://github.com/seemoo-lab/VirtFuzz/pull/7

CCed the creators/authors, thanks for open sourcing this!

Thanks,
Carlos

[1] https://github.com/seemoo-lab/VirtFuzz

On 7/17/26 22:29, Greg Kroah-Hartman wrote:

> On Fri, Jul 17, 2026 at 08:31:09PM -0700, Carlos Bilbao wrote:
>> Historically, one of the biggest criticisms of coco, especially around
>> device hardening, was that there were too many values that a
>> malicious/buggy device could misreport, making it a losing battle. That is
>> no longer the case with LLMs, and we have the advantage (and challenge) of
>> open-source dev, which allows us to receive many of these fixes "for free".
>> If others want to burn their tokens, let them :)
> I have lots of tokens to burn :)
>
> So along those lines, any suggestions on how best to fuzz these code
> paths?  Any workloads you all use for testing that I can take advantage
> of?


We've the virto-mem config struct layout and the kernel source, so for
obvious fixes like a NULL check, static analysis is better than fuzzing.
Claude took a few mins to find me two examples:

Patch 1: virtio-mem: reject non-power-of-two device_block_size
This one is for virtio_mem_init() to check if
!is_power_of_2(vm->device_block_size)

Patch 2: virto-mem: validate region_size and usable_region_size
THis one checks region_size != 0 and vm->usable_reion_size >
vm->region_size.

An endless factory of "silly" checks like these are low hanging fruit.

Now, for harder bugs, looking around for fuzz options, VirtFuzz [1] looks
like a great candidate for those interested in pursuing this direction.


Their PoC fuzzes wireless/Bluetooth stack, but nothing our AI overlords
can't quickly adapt for virtio-mem and other virtio drivers; the JSON
definition to describe device behavior is easily extensible. Their threat
model [2] describes an external attacker, but in the context of coco, the
virtio device itself is the attacker. Here's a vibe coded PR of what I mean:

https://github.com/seemoo-lab/VirtFuzz/pull/7

CCed the creators/authors, thanks for open sourcing this!

Thanks,
Carlos

[1] https://github.com/seemoo-lab/VirtFuzz
[2] 
https://www.computer.org/csdl/proceedings-article/sp/2024/313000a024/1RjEa0y9RMQ


> thanks,
>
> greg k-h

[2] 
https://www.computer.org/csdl/proceedings-article/sp/2024/313000a024/1RjEa0y9RMQ


>
> thanks,
>
> greg k-h

  reply	other threads:[~2026-07-18 17:07 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-15 14:22 [PATCH 0/4] virtio: validate device-reported values across drivers Hari Mishal
2026-07-15 14:22 ` [PATCH 1/4] virtio-mem: validate device-reported block size Hari Mishal
2026-07-15 15:57   ` Michael S. Tsirkin
2026-07-15 16:41   ` [PATCH v2 " Hari Mishal
2026-07-16  8:55     ` David Hildenbrand (Arm)
2026-07-16 14:18       ` Greg Kroah-Hartman
2026-07-16 15:59         ` David Hildenbrand (Arm)
2026-07-17  5:03           ` Greg Kroah-Hartman
2026-07-17  5:48           ` Michael S. Tsirkin
2026-07-17  8:39             ` David Hildenbrand (Arm)
2026-07-17  8:59               ` Michael S. Tsirkin
2026-07-17  9:14                 ` Greg Kroah-Hartman
2026-07-17 10:10                   ` Michael S. Tsirkin
2026-07-17 10:15                     ` Greg Kroah-Hartman
2026-07-17 10:21                       ` David Hildenbrand (Arm)
2026-07-17 10:28                         ` Michael S. Tsirkin
2026-07-17 10:44                         ` Greg Kroah-Hartman
2026-07-17 11:00                           ` David Hildenbrand (Arm)
2026-07-17 10:23                       ` Michael S. Tsirkin
2026-07-17 10:46                         ` Greg Kroah-Hartman
2026-07-17 10:52                           ` Michael S. Tsirkin
2026-07-17 12:07                             ` Greg Kroah-Hartman
2026-07-17 13:08                               ` Michael S. Tsirkin
2026-07-17 14:31                                 ` Greg Kroah-Hartman
2026-07-17 15:27                                   ` Michael Kelley
2026-07-17 16:28                                   ` Michael S. Tsirkin
2026-07-17 16:30                                     ` Michael S. Tsirkin
2026-07-18  3:31                                 ` Carlos Bilbao
2026-07-18  5:29                                   ` Greg Kroah-Hartman
2026-07-18 17:07                                     ` Carlos Bilbao [this message]
2026-07-18 17:21                                       ` Michael S. Tsirkin
2026-07-18 17:41                                         ` Carlos Bilbao
2026-07-15 14:22 ` [PATCH 2/4] virtio_input: validate device-reported multitouch slot count Hari Mishal
2026-07-15 15:50   ` Michael S. Tsirkin
2026-07-15 16:07     ` Hari Mishal
2026-07-15 16:11       ` Michael S. Tsirkin
2026-07-15 18:25         ` Dmitry Torokhov
     [not found]           ` <CAMmC+=DXS=xs0CZyf+N-71NT8D51xQYatBv=dfVQC1aBohDdmA@mail.gmail.com>
     [not found]             ` <alkTnRb9qhgcMGGi@google.com>
2026-07-16 17:33               ` Dmitry Torokhov
2026-07-15 16:41   ` [PATCH v2 " Hari Mishal
2026-07-15 14:22 ` [PATCH 3/4] virtio_console: avoid NULL portdev dereference in in_intr() Hari Mishal
2026-07-15 14:22 ` [PATCH 4/4] virtio_console: take a kref in find_port_by_vq() to fix port UAF Hari Mishal
2026-07-15 14:42   ` [PATCH v2 " Hari Mishal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ae5bc86b-cb8d-4530-9e58-d285007deac0@gmail.com \
    --to=carlos.bilbao.osdev@gmail.com \
    --cc=david@kernel.org \
    --cc=elena.reshetova@intel.com \
    --cc=eperezma@redhat.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=harimishal1@gmail.com \
    --cc=huster@cs.uni-goettingen.de \
    --cc=jasowangio@gmail.com \
    --cc=jiska.classen@hpi.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhollick@seemoo.de \
    --cc=mst@redhat.com \
    --cc=virtualization@lists.linux.dev \
    --cc=xuanzhuo@linux.alibaba.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome