feat(virtio-mem): mprotect unplugged memory ranges

This prevents the device emulation to be tricked into accessing
unplugged memory ranges. If a malicious driver tries to do so, the VMM
will crash with a memory error.

Signed-off-by: Riccardo Mancini <[email protected]>

Author: Manciukic

resources/seccomp/aarch64-unknown-linux-musl.json

@@ -472,6 +472,10 @@
             {
                 "syscall": "restart_syscall",
                 "comment": "automatically issued by the kernel when specific timing-related syscalls (e.g. nanosleep) get interrupted by SIGSTOP"
+            },
+            {
+                "syscall": "mprotect",
+                "comment": "Used by memory hotplug to protect access to underlying host memory"
             }
         ]
     },

resources/seccomp/x86_64-unknown-linux-musl.json

@@ -484,6 +484,10 @@
             {
                 "syscall": "restart_syscall",
                 "comment": "automatically issued by the kernel when specific timing-related syscalls (e.g. nanosleep) get interrupted by SIGSTOP"
+            },
+            {
+                "syscall": "mprotect",
+                "comment": "Used by memory hotplug to protect access to underlying host memory"
             }
         ]
     },

src/vmm/src/vstate/memory.rs

@@ -57,6 +57,8 @@ pub enum MemoryError {
     FileMetadata(std::io::Error),
     /// Memory region is not aligned
     Unaligned,
+    /// Error protecting memory slot: {0}
+    Mprotect(std::io::Error),
 }
 
 /// Type of the guest region
@@ -161,6 +163,28 @@ impl<'a> GuestMemorySlot<'a> {
 
         Ok(())
     }
+
+    /// Makes the slot host memory PROT_NONE (true) or PROT_READ|PROT_WRITE (false)
+    pub(crate) fn protect(&self, protected: bool) -> Result<(), MemoryError> {
+        let prot = if protected {
+            libc::PROT_NONE
+        } else {
+            libc::PROT_READ | libc::PROT_WRITE
+        };
+        // SAFETY: Parameters refer to an existing host memory region
+        let ret = unsafe {
+            libc::mprotect(
+                self.slice.ptr_guard_mut().as_ptr().cast(),
+                self.slice.len(),
+                prot,
+            )
+        };
+        if ret != 0 {
+            Err(MemoryError::Mprotect(std::io::Error::last_os_error()))
+        } else {
+            Ok(())
+        }
+    }
 }
 
 fn addr_in_range(addr: GuestAddress, start: GuestAddress, len: usize) -> bool {
@@ -297,11 +321,20 @@ impl GuestRegionMmapExt {
         if prev == plug {
             return Ok(());
         }
+
         let mut kvm_region = kvm_userspace_memory_region::from(mem_slot);
-        if !plug {
+        if plug {
+            // make it accessible _before_ adding it to KVM
+            mem_slot.protect(false)?;
+            vm.set_user_memory_region(kvm_region)?;
+        } else {
+            // to remove it we need to pass a size of zero
             kvm_region.memory_size = 0;
+            vm.set_user_memory_region(kvm_region)?;
+            // make it protected _after_ removing it from KVM
+            mem_slot.protect(true)?;
         }
-        vm.set_user_memory_region(kvm_region)
+        Ok(())
     }
 
     pub(crate) fn discard_range(

src/vmm/src/vstate/vm.rs

@@ -196,8 +196,13 @@ impl Vm {
             .insert_region(Arc::clone(&region))?;
 
         region
-            .plugged_slots()
-            .try_for_each(|ref slot| self.set_user_memory_region(slot.into()))?;
+            .slots()
+            .try_for_each(|(ref slot, plugged)| match plugged {
+                // if the slot is plugged, add it to kvm user memory regions
+                true => self.set_user_memory_region(slot.into()),
+                // if the slot is not plugged, protect accesses to it
+                false => slot.protect(true).map_err(VmError::MemoryError),
+            })?;
 
         self.common.guest_memory = new_guest_memory;