From: Demi Marie Obenour <demiobenour@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
Cc: Alyssa Ross <hi@alyssa.is>, Demi Marie Obenour <demiobenour@gmail.com>
Subject: [PATCH] tools: Use synchronous I/O for block devices
Date: Wed, 20 May 2026 21:46:40 -0400 [thread overview]
Message-ID: <20260520-sync-block-v1-1-d1615e5d4f93@gmail.com> (raw)
CVE-2026-45782 showed that the Cloud Hypervisor asynchronous block I/O
code is far too subtle. Even the top-level APIs are unsafe, and so bugs
in the block device itself can cause undefined behavior. In this case,
the undefined behavior was a use-after free that allowed a VM escape.
While the synchronous code still allows safe code to cause undefined
behavior, it is somewhat simpler to reason about and so should be
preferred when performance is not a concern. Disabling asynchronous I/O
was a mitigation for CVE-2026-45782.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
Upstream contributor Dylan Reid plans to fix the block layer. However,
its attack surface is still much higher than the synchronous I/O code.
This has not been tested beyond the integration tests. My test machine
is currently not working, most likely due to the AMDGPU panel
self-refresh bug.
---
tools/start-vmm/ch.rs | 2 ++
tools/start-vmm/lib.rs | 2 ++
2 files changed, 4 insertions(+)
diff --git a/tools/start-vmm/ch.rs b/tools/start-vmm/ch.rs
index d3ac95ed60db834e20dbd7366908ae45cbdf27a2..239d08e10721170de02ec7da92939597c72e8033 100644
--- a/tools/start-vmm/ch.rs
+++ b/tools/start-vmm/ch.rs
@@ -24,6 +24,8 @@ pub struct ConsoleConfig {
pub struct DiskConfig {
pub path: String,
pub readonly: bool,
+ pub disable_io_uring: bool,
+ pub disable_aio: bool,
}
#[derive(Serialize)]
diff --git a/tools/start-vmm/lib.rs b/tools/start-vmm/lib.rs
index 1adccc1b76ce24ba0550a3db2aef1b4c8f3c231a..0fa63525eaee2f387456ed6fb9c3649188ab0e7a 100644
--- a/tools/start-vmm/lib.rs
+++ b/tools/start-vmm/lib.rs
@@ -75,6 +75,8 @@ pub fn vm_config(vm_dir: &Path) -> Result<VmConfig, String> {
Ok(DiskConfig {
path: entry,
readonly: true,
+ disable_io_uring: true,
+ disable_aio: true,
})
})
.collect::<Result<_, _>>()?,
---
base-commit: 5b3151fd08d1f1e3e166a328449fe6fe5092f316
change-id: 20260507-sync-block-2902b6a635f8
--
Sincerely,
Demi Marie Obenour (she/her/hers)
next reply other threads:[~2026-05-21 1:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-21 1:46 Demi Marie Obenour [this message]
2026-05-21 13:54 ` [PATCH] tools: Use synchronous I/O for block devices Alyssa Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260520-sync-block-v1-1-d1615e5d4f93@gmail.com \
--to=demiobenour@gmail.com \
--cc=devel@spectrum-os.org \
--cc=hi@alyssa.is \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).