From: "Steve Wise" <swise@opengridcomputing.com>
To: 'Wenwen Wang' <wang6495@umn.edu>
Cc: 'Kangjie Lu' <kjlu@umn.edu>, 'Steve Wise' <swise@chelsio.com>,
'Doug Ledford' <dledford@redhat.com>,
'Jason Gunthorpe' <jgg@ziepe.ca>,
"'open list:CXGB4 IWARP RNIC DRIVER (IW_CXGB4)'"
<linux-rdma@vger.kernel.org>,
'open list' <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH] iw_cxgb4: fix a missing-check bug
Date: Sat, 20 Oct 2018 18:14:12 -0500 [thread overview]
Message-ID: <038301d468ca$9d30ca90$d7925fb0$@opengridcomputing.com> (raw)
In-Reply-To: <1540072741-18856-1-git-send-email-wang6495@umn.edu>
Hey Wenwen,
> Subject: [PATCH] iw_cxgb4: fix a missing-check bug
>
> In c4iw_flush_hw_cq, the next CQE is acquired through t4_next_hw_cqe(). In
> t4_next_hw_cqe(), the CQE, i.e., 'cq->queue[cq->cidx]', is checked to see
> whether it is valid through t4_valid_cqe(). If it is valid, the address of
> the CQE is then saved to 'hw_cqe'. Later on, the CQE is copied to the
local
> memory in create_read_req_cqe(). The problem here is that the CQE is
> actually in a DMA region allocated by dma_alloc_coherent() in create_cq().
> Given that the device also has the permission to access the DMA region, a
> malicious device controlled by an attacker can modify the CQE in the DMA
> region after the check in t4_next_hw_cqe() but before the copy in
> create_read_req_cqe(). By doing so, the attacker can supply invalid CQE,
> which can cause undefined behavior of the kernel and introduce potential
> security risks.
>
If the dma device is malicious, couldn't it just dma some incorrect CQE but
still valid in the first place? I don't think this patch actually solves
the issue, and it forces a copy of a 64B CQE in a critical data io path.
So I must NACK this.
Thanks,
Steve.
next prev parent reply other threads:[~2018-10-20 23:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-20 21:59 [PATCH] iw_cxgb4: fix a missing-check bug Wenwen Wang
2018-10-20 23:14 ` Steve Wise [this message]
2018-10-20 23:56 ` Wenwen Wang
2018-10-21 0:15 ` Steve Wise
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='038301d468ca$9d30ca90$d7925fb0$@opengridcomputing.com' \
--to=swise@opengridcomputing.com \
--cc=dledford@redhat.com \
--cc=jgg@ziepe.ca \
--cc=kjlu@umn.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=swise@chelsio.com \
--cc=wang6495@umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox