From: David Gibson <david@gibson.dropbear.id.au>
To: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: linuxppc-dev@lists.ozlabs.org, kvm-ppc@vger.kernel.org,
Paul Mackerras <paulus@ozlabs.org>
Subject: Re: [PATCH kernel 1/4] KVM: PPC: Validate all tces before updating tables
Date: Thu, 30 Aug 2018 14:01:01 +1000 [thread overview]
Message-ID: <20180830040101.GG2222@umbus.fritz.box> (raw)
In-Reply-To: <20180830031647.34134-2-aik@ozlabs.ru>
[-- Attachment #1: Type: text/plain, Size: 2835 bytes --]
On Thu, Aug 30, 2018 at 01:16:44PM +1000, Alexey Kardashevskiy wrote:
> The KVM TCE handlers are written in a way so they fail when either
> something went horribly wrong or the userspace did some obvious mistake
> such as passing a misaligned address.
>
> We are going to enhance the TCE checker to fail on attempts to map bigger
> IOMMU page than the underlying pinned memory so let's valitate TCE
> beforehand.
>
> This should cause no behavioral change.
>
> Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
With one misgiving..
> ---
> arch/powerpc/kvm/book3s_64_vio.c | 8 ++++++++
> arch/powerpc/kvm/book3s_64_vio_hv.c | 4 ++++
> 2 files changed, 12 insertions(+)
>
> diff --git a/arch/powerpc/kvm/book3s_64_vio.c b/arch/powerpc/kvm/book3s_64_vio.c
> index 9a3f264..0fef22b 100644
> --- a/arch/powerpc/kvm/book3s_64_vio.c
> +++ b/arch/powerpc/kvm/book3s_64_vio.c
> @@ -599,6 +599,14 @@ long kvmppc_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> ret = kvmppc_tce_validate(stt, tce);
> if (ret != H_SUCCESS)
> goto unlock_exit;
> + }
> +
> + for (i = 0; i < npages; ++i) {
> + if (get_user(tce, tces + i)) {
This looks unsafe, because we validate, then regrab the TCE from
userspace which could have been changed by another thread.
But it actually is safe, because the relevant checks will be
re-executed in the following code. If userspace tries to change this
dodgily it will result in a messier failure mode but won't threaten
the host.
Long term, I think we would be better off copying everything into
kernel space then doing the validation just once. But the difference
should only become apparent with a malicious or badly broken guest,
and in the meantime this series addresses a real problem.
So, I think we should go ahead with it despite that imperfection.
> + ret = H_TOO_HARD;
> + goto unlock_exit;
> + }
> + tce = be64_to_cpu(tce);
>
> if (kvmppc_gpa_to_ua(vcpu->kvm,
> tce & ~(TCE_PCI_READ | TCE_PCI_WRITE),
> diff --git a/arch/powerpc/kvm/book3s_64_vio_hv.c b/arch/powerpc/kvm/book3s_64_vio_hv.c
> index 506a4d4..7ab6f3f 100644
> --- a/arch/powerpc/kvm/book3s_64_vio_hv.c
> +++ b/arch/powerpc/kvm/book3s_64_vio_hv.c
> @@ -501,6 +501,10 @@ long kvmppc_rm_h_put_tce_indirect(struct kvm_vcpu *vcpu,
> ret = kvmppc_tce_validate(stt, tce);
> if (ret != H_SUCCESS)
> goto unlock_exit;
> + }
> +
> + for (i = 0; i < npages; ++i) {
> + unsigned long tce = be64_to_cpu(((u64 *)tces)[i]);
>
> ua = 0;
> if (kvmppc_gpa_to_ua(vcpu->kvm,
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2018-08-30 4:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-30 3:16 [PATCH kernel 0/4] KVM: PPC: Some error handling rework Alexey Kardashevskiy
2018-08-30 3:16 ` [PATCH kernel 1/4] KVM: PPC: Validate all tces before updating tables Alexey Kardashevskiy
2018-08-30 4:01 ` David Gibson [this message]
2018-08-31 4:04 ` Alexey Kardashevskiy
2018-08-30 3:16 ` [PATCH kernel 2/4] KVM: PPC: Inform the userspace about TCE update failures Alexey Kardashevskiy
2018-08-30 4:01 ` David Gibson
2018-08-30 3:16 ` [PATCH kernel 3/4] KVM: PPC: Validate TCEs against preregistered memory page sizes Alexey Kardashevskiy
2018-08-30 4:03 ` David Gibson
2018-08-30 3:16 ` [PATCH kernel 4/4] KVM: PPC: Propagate errors to the guest when failed instead of ignoring Alexey Kardashevskiy
2018-08-30 4:04 ` David Gibson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180830040101.GG2222@umbus.fritz.box \
--to=david@gibson.dropbear.id.au \
--cc=aik@ozlabs.ru \
--cc=kvm-ppc@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=paulus@ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).