From: "Michael S. Tsirkin" <mst@redhat.com>
To: Vladislav Zolotarov <vladz@cloudius-systems.com>
Cc: Greg KH <gregkh@linuxfoundation.org>,
Bruce Richardson <bruce.richardson@intel.com>,
linux-kernel@vger.kernel.org, hjk@hansjkoch.de,
avi@cloudius-systems.com, corbet@lwn.net,
alexander.duyck@gmail.com, gleb@cloudius-systems.com,
stephen@networkplumber.org
Subject: Re: [PATCH v3 1/3] uio: add ioctl support
Date: Tue, 6 Oct 2015 01:29:19 +0300 [thread overview]
Message-ID: <20151006005527-mutt-send-email-mst@redhat.com> (raw)
In-Reply-To: <CAOYyTHZ2=UCYxuJKvd5S6qxp=84DBq5bMadg5wL0rFLZBh2-8Q@mail.gmail.com>
On Tue, Oct 06, 2015 at 12:43:45AM +0300, Vladislav Zolotarov wrote:
> So, like it has already been asked in a different thread I'm going to
> ask a rhetorical question: what adding an MSI and MSI-X interrupts support to
> uio_pci_generic has to do with security?
memory protection is a better term than security.
It's very simple: you enable bus mastering and you ask userspace to map
all device BARs. One of these BARs holds the address to which device
writes to trigger MSI-X interrupt.
This is how MSI-X works, internally: from the point of view of
PCI it's a memory write. It just so happens that the destination
address is in the interrupt controller, that triggers an interrupt.
But a bug in this userspace application can corrupt the MSI-X table,
which in turn can easily corrupt kernel memory, or unrelated processes's
memory. This is in my opinion unacceptable.
So you need to be very careful
- probably need to reset device before you even enable bus master
- prevent userspace from touching msi config
- prevent userspace from moving BARs since msi-x config is within a BAR
- detect reset and prevent linux from touching device while it's under
reset
The list goes on and on.
This is pretty much what VFIO spent the last 3 years doing, except VFIO
also can do IOMMU groups.
> What "security threat" does it add
> that u don't already have today?
Yes, userspace can create this today if it tweaks PCI config space to
enable MSI-X, then corrupts the MSI-X table. It's unfortunate that we
don't yet prevent this, but at least you need two things to go wrong for
this to trigger.
The reason, as I tried to point out, is simply that I didn't think
uio_pci_generic will be used for these configurations.
But there's nothing fundamental here that makes them secure
and that therefore makes your patches secure as well.
Fixing this to make uio_pci_generic write-protect MSI/MSI-X enable
registers sounds kind of reasonable, this shouldn't be too hard.
--
MST
next prev parent reply other threads:[~2015-10-05 22:29 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-04 20:43 [PATCH v3 0/3] uio: add MSI/MSI-X support to uio_pci_generic driver Vlad Zolotarov
2015-10-04 20:43 ` [PATCH v3 1/3] uio: add ioctl support Vlad Zolotarov
2015-10-05 3:03 ` Greg KH
2015-10-05 7:33 ` Vlad Zolotarov
2015-10-05 8:01 ` Greg KH
2015-10-05 10:36 ` Vlad Zolotarov
2015-10-05 20:02 ` Michael S. Tsirkin
[not found] ` <CAOYyTHZ2=UCYxuJKvd5S6qxp=84DBq5bMadg5wL0rFLZBh2-8Q@mail.gmail.com>
2015-10-05 22:29 ` Michael S. Tsirkin [this message]
2015-10-06 8:33 ` Vlad Zolotarov
2015-10-06 14:19 ` Michael S. Tsirkin
2015-10-06 14:30 ` Gleb Natapov
2015-10-06 15:19 ` Michael S. Tsirkin
2015-10-06 15:31 ` Vlad Zolotarov
2015-10-06 15:57 ` Gleb Natapov
2015-10-04 20:43 ` [PATCH v3 2/3] uio_pci_generic: add MSI/MSI-X support Vlad Zolotarov
2015-10-05 3:11 ` Greg KH
2015-10-05 7:41 ` Vlad Zolotarov
2015-10-05 7:56 ` Greg KH
2015-10-05 10:48 ` Vlad Zolotarov
2015-10-05 10:57 ` Greg KH
2015-10-05 11:09 ` Avi Kivity
2015-10-05 13:08 ` Greg KH
2015-10-05 11:41 ` Vlad Zolotarov
2015-10-05 11:47 ` Avi Kivity
2015-10-05 11:53 ` Vlad Zolotarov
2015-10-05 8:28 ` Avi Kivity
2015-10-05 9:49 ` Greg KH
2015-10-05 10:20 ` Avi Kivity
2015-10-06 14:38 ` Michael S. Tsirkin
2015-10-06 14:43 ` Vlad Zolotarov
2015-10-06 14:56 ` Michael S. Tsirkin
2015-10-06 15:23 ` Avi Kivity
2015-10-06 18:51 ` Alex Williamson
2015-10-06 21:32 ` Stephen Hemminger
2015-10-06 21:41 ` Alex Williamson
[not found] ` <CAOaVG152OrQz-Bbnpr0VeE+vLH7nMGsG6A3sD7eTQHormNGVUg@mail.gmail.com>
2015-10-07 7:57 ` Vlad Zolotarov
[not found] ` <5614C160.6000203@scylladb.com>
2015-10-07 8:00 ` Vlad Zolotarov
2015-10-07 8:01 ` Vlad Zolotarov
2015-10-07 6:52 ` Avi Kivity
2015-10-07 16:31 ` Alex Williamson
2015-10-07 16:39 ` Avi Kivity
2015-10-07 21:05 ` Michael S. Tsirkin
2015-10-08 4:19 ` Gleb Natapov
2015-10-08 7:41 ` Michael S. Tsirkin
2015-10-08 7:59 ` Gleb Natapov
2015-10-08 9:38 ` Michael S. Tsirkin
2015-10-08 9:45 ` Gleb Natapov
2015-10-08 12:15 ` Michael S. Tsirkin
2015-10-08 5:33 ` Avi Kivity
2015-10-08 7:32 ` Michael S. Tsirkin
2015-10-08 8:46 ` Avi Kivity
2015-10-08 9:16 ` Michael S. Tsirkin
2015-10-08 9:44 ` Avi Kivity
2015-10-08 12:06 ` Michael S. Tsirkin
2015-10-08 12:27 ` Gleb Natapov
2015-10-08 13:20 ` Michael S. Tsirkin
2015-10-08 13:28 ` Gleb Natapov
2015-10-08 16:43 ` Michael S. Tsirkin
2015-10-08 17:01 ` Gleb Natapov
2015-10-08 17:39 ` Michael S. Tsirkin
2015-10-08 17:53 ` Gleb Natapov
2015-10-08 18:38 ` Greg KH
2015-10-08 8:32 ` Michael S. Tsirkin
2015-10-08 8:52 ` Gleb Natapov
2015-10-08 9:19 ` Avi Kivity
2015-10-08 10:26 ` Michael S. Tsirkin
2015-10-08 13:20 ` Avi Kivity
2015-10-08 14:17 ` Michael S. Tsirkin
2015-10-08 15:31 ` Alex Williamson
2015-10-07 20:05 ` Michael S. Tsirkin
2015-10-07 7:55 ` Vlad Zolotarov
2015-10-08 8:48 ` Michael S. Tsirkin
2015-10-06 15:28 ` Vlad Zolotarov
2015-10-06 14:46 ` Michael S. Tsirkin
2015-10-06 15:27 ` Avi Kivity
2015-10-05 8:41 ` Stephen Hemminger
2015-10-05 9:08 ` Vlad Zolotarov
2015-10-05 10:06 ` Vlad Zolotarov
2015-10-05 20:09 ` Michael S. Tsirkin
2015-10-05 9:11 ` Vlad Zolotarov
2015-10-05 19:16 ` Michael S. Tsirkin
2015-10-04 20:43 ` [PATCH v3 3/3] Documentation: update uio-howto Vlad Zolotarov
2015-10-04 20:45 ` [PATCH v3 0/3] uio: add MSI/MSI-X support to uio_pci_generic driver Vlad Zolotarov
2015-10-05 19:50 ` Michael S. Tsirkin
2015-10-06 8:37 ` Vlad Zolotarov
2015-10-06 14:30 ` Michael S. Tsirkin
2015-10-06 14:40 ` Vlad Zolotarov
2015-10-06 15:13 ` Michael S. Tsirkin
2015-10-06 16:35 ` Vlad Zolotarov
2015-10-06 15:11 ` Avi Kivity
2015-10-06 15:15 ` Michael S. Tsirkin
2015-10-06 16:00 ` Gleb Natapov
2015-10-06 16:09 ` Avi Kivity
2015-10-07 10:25 ` Michael S. Tsirkin
2015-10-07 10:28 ` Avi Kivity
-- strict thread matches above, loose matches on Subject: below --
2015-10-04 20:39 Vlad Zolotarov
2015-10-04 20:39 ` [PATCH v3 1/3] uio: add ioctl support Vlad Zolotarov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151006005527-mutt-send-email-mst@redhat.com \
--to=mst@redhat.com \
--cc=alexander.duyck@gmail.com \
--cc=avi@cloudius-systems.com \
--cc=bruce.richardson@intel.com \
--cc=corbet@lwn.net \
--cc=gleb@cloudius-systems.com \
--cc=gregkh@linuxfoundation.org \
--cc=hjk@hansjkoch.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stephen@networkplumber.org \
--cc=vladz@cloudius-systems.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).