From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752440AbbJEW31 (ORCPT ); Mon, 5 Oct 2015 18:29:27 -0400 Received: from mx1.redhat.com ([209.132.183.28]:35246 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752224AbbJEW30 (ORCPT ); Mon, 5 Oct 2015 18:29:26 -0400 Date: Tue, 6 Oct 2015 01:29:19 +0300 From: "Michael S. Tsirkin" To: Vladislav Zolotarov Cc: Greg KH , Bruce Richardson , linux-kernel@vger.kernel.org, hjk@hansjkoch.de, avi@cloudius-systems.com, corbet@lwn.net, alexander.duyck@gmail.com, gleb@cloudius-systems.com, stephen@networkplumber.org Subject: Re: [PATCH v3 1/3] uio: add ioctl support Message-ID: <20151006005527-mutt-send-email-mst@redhat.com> References: <1443991398-23761-1-git-send-email-vladz@cloudius-systems.com> <1443991398-23761-2-git-send-email-vladz@cloudius-systems.com> <20151005030352.GA27303@kroah.com> <561227C0.5050607@cloudius-systems.com> <20151005080149.GB1747@kroah.com> <561252B3.4000406@cloudius-systems.com> <20151005225157-mutt-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 06, 2015 at 12:43:45AM +0300, Vladislav Zolotarov wrote: > So, like it has already been asked in a different thread I'm going to > ask a rhetorical question: what adding an MSI and MSI-X interrupts support to > uio_pci_generic has to do with security? memory protection is a better term than security. It's very simple: you enable bus mastering and you ask userspace to map all device BARs. One of these BARs holds the address to which device writes to trigger MSI-X interrupt. This is how MSI-X works, internally: from the point of view of PCI it's a memory write. It just so happens that the destination address is in the interrupt controller, that triggers an interrupt. But a bug in this userspace application can corrupt the MSI-X table, which in turn can easily corrupt kernel memory, or unrelated processes's memory. This is in my opinion unacceptable. So you need to be very careful - probably need to reset device before you even enable bus master - prevent userspace from touching msi config - prevent userspace from moving BARs since msi-x config is within a BAR - detect reset and prevent linux from touching device while it's under reset The list goes on and on. This is pretty much what VFIO spent the last 3 years doing, except VFIO also can do IOMMU groups. > What "security threat" does it add > that u don't already have today? Yes, userspace can create this today if it tweaks PCI config space to enable MSI-X, then corrupts the MSI-X table. It's unfortunate that we don't yet prevent this, but at least you need two things to go wrong for this to trigger. The reason, as I tried to point out, is simply that I didn't think uio_pci_generic will be used for these configurations. But there's nothing fundamental here that makes them secure and that therefore makes your patches secure as well. Fixing this to make uio_pci_generic write-protect MSI/MSI-X enable registers sounds kind of reasonable, this shouldn't be too hard. -- MST