From: Carlos Bilbao <carlos.bilbao.osdev@gmail.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"David Hildenbrand (Arm)" <david@kernel.org>,
"Hari Mishal" <harimishal1@gmail.com>,
"Jason Wang" <jasowangio@gmail.com>,
"Xuan Zhuo" <xuanzhuo@linux.alibaba.com>,
"Eugenio Pérez" <eperezma@redhat.com>,
virtualization@lists.linux.dev, linux-kernel@vger.kernel.org,
elena.reshetova@intel.com, huster@cs.uni-goettingen.de,
mhollick@seemoo.de, jiska.classen@hpi.de
Subject: Re: [PATCH v2 1/4] virtio-mem: validate device-reported block size
Date: Sat, 18 Jul 2026 10:41:26 -0700 [thread overview]
Message-ID: <f8c50876-e18d-4493-ba91-7a4090b6385a@gmail.com> (raw)
In-Reply-To: <20260718131715-mutt-send-email-mst@kernel.org>
Hello Michael,
On 7/18/26 10:21, Michael S. Tsirkin wrote:
> On Sat, Jul 18, 2026 at 10:07:30AM -0700, Carlos Bilbao wrote:
>> On 7/17/26 22:29, Greg Kroah-Hartman wrote:
>>
>>> On Fri, Jul 17, 2026 at 08:31:09PM -0700, Carlos Bilbao wrote:
>>>> Historically, one of the biggest criticisms of coco, especially around
>>>> device hardening, was that there were too many values that a
>>>> malicious/buggy device could misreport, making it a losing battle. That is
>>>> no longer the case with LLMs, and we have the advantage (and challenge) of
>>>> open-source dev, which allows us to receive many of these fixes "for free".
>>>> If others want to burn their tokens, let them :)
>>> I have lots of tokens to burn :)
>>>
>>> So along those lines, any suggestions on how best to fuzz these code
>>> paths? Any workloads you all use for testing that I can take advantage
>>> of?
>>
>> We've the virtio-mem config struct layout and the kernel source, so for
>> obvious fixes like a NULL check, static analysis is better than fuzzing.
>> Claude took a few mins to find me two examples:
>>
>> Patch 1: virtio-mem: reject non-power-of-two device_block_size
>> This one is for virtio_mem_init() to check if
>> !is_power_of_2(vm->device_block_size)
>>
>> Patch 2: virto-mem: validate region_size and usable_region_size
>> THis one checks region_size != 0 and vm->usable_reion_size >
>> vm->region_size.
>>
>> An endless factory of "silly" checks like these are low hanging fruit.
> At the same time, these checks don't actually help within the coco
> threat model, do they?
>
>> Now, for harder bugs, looking around for fuzz options, VirtFuzz [1] looks
>> like a great candidate for those interested in pursuing this direction.
>>
>>
>> Their PoC fuzzes wireless/Bluetooth stack, but nothing our AI overlords
>> can't quickly adapt for virtio-mem and other virtio drivers; the JSON
>> definition to describe device behavior is easily extensible. Their threat
>> model [2] describes an external attacker, but in the context of coco, the
>> virtio device itself is the attacker.
> What we need, however, is to exclude DoS attacks - these are outside the
> threat model. If people try to address all DoS attacks uncritically we
> just get a churn of changes which just might introduce issues of their
> own.
>
> Example:
>
> BUG_ON(!is_power_of_2(....));
> panics, non exploitable.
>
> if(!is_power_of_2(....))
> goto error;
>
> can become exploitable if the cleanup is done wrong.
Yes, you are 100% technically right about the scope of the threat model.
DoS is out of scope because it is a fundamentally unreachable goal; the
cloud provider can always just "pull the plug". The dangers of
"vibe-coding" you point out are real, over-eager LLMs fixing up and down
will create new vulnerabilities in complex cleanup paths. Also, TBH, I
sympathize with a maintainer's disinterest in reviewing a million stupid
checks.
But, to play devil's advocate: this assumes a missing check
like is_power_of_2 only ever leads to a benign crash, rather than already
cascading into an unknown, exploitable state down the line.
So these checks are not _just_ to prevent DoS!
Anyhow, this is the exact justification for VirtFuzz. If your main concern
is that adding validation checks might introduce subtle exploit paths in
the error-cleanup code, VirtFuzz and tools like that, can fuzz those new
paths exhaustively. It gives the automated safety net needed to scale coco
device with as little regressions as possible.
>
>
>
>> Here's a vibe coded PR of what I mean:
>>
>> https://github.com/seemoo-lab/VirtFuzz/pull/7
>>
>> CCed the creators/authors, thanks for open sourcing this!
>>
>> Thanks,
>> Carlos
>>
>> [1] https://github.com/seemoo-lab/VirtFuzz
>>
>> On 7/17/26 22:29, Greg Kroah-Hartman wrote:
>>
>>> On Fri, Jul 17, 2026 at 08:31:09PM -0700, Carlos Bilbao wrote:
>>>> Historically, one of the biggest criticisms of coco, especially around
>>>> device hardening, was that there were too many values that a
>>>> malicious/buggy device could misreport, making it a losing battle. That is
>>>> no longer the case with LLMs, and we have the advantage (and challenge) of
>>>> open-source dev, which allows us to receive many of these fixes "for free".
>>>> If others want to burn their tokens, let them :)
>>> I have lots of tokens to burn :)
>>>
>>> So along those lines, any suggestions on how best to fuzz these code
>>> paths? Any workloads you all use for testing that I can take advantage
>>> of?
>>
>> We've the virto-mem config struct layout and the kernel source, so for
>> obvious fixes like a NULL check, static analysis is better than fuzzing.
>> Claude took a few mins to find me two examples:
>>
>> Patch 1: virtio-mem: reject non-power-of-two device_block_size
>> This one is for virtio_mem_init() to check if
>> !is_power_of_2(vm->device_block_size)
>>
>> Patch 2: virto-mem: validate region_size and usable_region_size
>> THis one checks region_size != 0 and vm->usable_reion_size >
>> vm->region_size.
>>
>> An endless factory of "silly" checks like these are low hanging fruit.
>>
>> Now, for harder bugs, looking around for fuzz options, VirtFuzz [1] looks
>> like a great candidate for those interested in pursuing this direction.
>>
>>
>> Their PoC fuzzes wireless/Bluetooth stack, but nothing our AI overlords
>> can't quickly adapt for virtio-mem and other virtio drivers; the JSON
>> definition to describe device behavior is easily extensible. Their threat
>> model [2] describes an external attacker, but in the context of coco, the
>> virtio device itself is the attacker. Here's a vibe coded PR of what I mean:
>>
>> https://github.com/seemoo-lab/VirtFuzz/pull/7
>>
>> CCed the creators/authors, thanks for open sourcing this!
>>
>> Thanks,
>> Carlos
>>
>> [1] https://github.com/seemoo-lab/VirtFuzz
>> [2] https://www.computer.org/csdl/proceedings-article/sp/2024/313000a024/1RjEa0y9RMQ
>>
>>
>>> thanks,
>>>
>>> greg k-h
>> [2] https://www.computer.org/csdl/proceedings-article/sp/2024/313000a024/1RjEa0y9RMQ
>>
>>
>>> thanks,
>>>
>>> greg k-h
Thanks,
Carlos
next prev parent reply other threads:[~2026-07-18 17:41 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-15 14:22 [PATCH 0/4] virtio: validate device-reported values across drivers Hari Mishal
2026-07-15 14:22 ` [PATCH 1/4] virtio-mem: validate device-reported block size Hari Mishal
2026-07-15 15:57 ` Michael S. Tsirkin
2026-07-15 16:41 ` [PATCH v2 " Hari Mishal
2026-07-16 8:55 ` David Hildenbrand (Arm)
2026-07-16 14:18 ` Greg Kroah-Hartman
2026-07-16 15:59 ` David Hildenbrand (Arm)
2026-07-17 5:03 ` Greg Kroah-Hartman
2026-07-17 5:48 ` Michael S. Tsirkin
2026-07-17 8:39 ` David Hildenbrand (Arm)
2026-07-17 8:59 ` Michael S. Tsirkin
2026-07-17 9:14 ` Greg Kroah-Hartman
2026-07-17 10:10 ` Michael S. Tsirkin
2026-07-17 10:15 ` Greg Kroah-Hartman
2026-07-17 10:21 ` David Hildenbrand (Arm)
2026-07-17 10:28 ` Michael S. Tsirkin
2026-07-17 10:44 ` Greg Kroah-Hartman
2026-07-17 11:00 ` David Hildenbrand (Arm)
2026-07-17 10:23 ` Michael S. Tsirkin
2026-07-17 10:46 ` Greg Kroah-Hartman
2026-07-17 10:52 ` Michael S. Tsirkin
2026-07-17 12:07 ` Greg Kroah-Hartman
2026-07-17 13:08 ` Michael S. Tsirkin
2026-07-17 14:31 ` Greg Kroah-Hartman
2026-07-17 15:27 ` Michael Kelley
2026-07-17 16:28 ` Michael S. Tsirkin
2026-07-17 16:30 ` Michael S. Tsirkin
2026-07-18 3:31 ` Carlos Bilbao
2026-07-18 5:29 ` Greg Kroah-Hartman
2026-07-18 17:07 ` Carlos Bilbao
2026-07-18 17:21 ` Michael S. Tsirkin
2026-07-18 17:41 ` Carlos Bilbao [this message]
2026-07-15 14:22 ` [PATCH 2/4] virtio_input: validate device-reported multitouch slot count Hari Mishal
2026-07-15 15:50 ` Michael S. Tsirkin
2026-07-15 16:07 ` Hari Mishal
2026-07-15 16:11 ` Michael S. Tsirkin
2026-07-15 18:25 ` Dmitry Torokhov
[not found] ` <CAMmC+=DXS=xs0CZyf+N-71NT8D51xQYatBv=dfVQC1aBohDdmA@mail.gmail.com>
[not found] ` <alkTnRb9qhgcMGGi@google.com>
2026-07-16 17:33 ` Dmitry Torokhov
2026-07-15 16:41 ` [PATCH v2 " Hari Mishal
2026-07-15 14:22 ` [PATCH 3/4] virtio_console: avoid NULL portdev dereference in in_intr() Hari Mishal
2026-07-15 14:22 ` [PATCH 4/4] virtio_console: take a kref in find_port_by_vq() to fix port UAF Hari Mishal
2026-07-15 14:42 ` [PATCH v2 " Hari Mishal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f8c50876-e18d-4493-ba91-7a4090b6385a@gmail.com \
--to=carlos.bilbao.osdev@gmail.com \
--cc=david@kernel.org \
--cc=elena.reshetova@intel.com \
--cc=eperezma@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=harimishal1@gmail.com \
--cc=huster@cs.uni-goettingen.de \
--cc=jasowangio@gmail.com \
--cc=jiska.classen@hpi.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mhollick@seemoo.de \
--cc=mst@redhat.com \
--cc=virtualization@lists.linux.dev \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome