From: Thomas Huth <thuth@redhat.com>
To: Mauro Matteo Cascella <mcascell@redhat.com>, qemu-devel@nongnu.org
Cc: pbonzini@redhat.com, fam@euphon.net, philmd@linaro.org,
alxndr@bu.edu, zheyuma97@gmail.com
Subject: Re: [PATCH] scsi/lsi53c895a: restrict DMA engine to memory regions (CVE-2023-0330)
Date: Tue, 16 May 2023 11:46:36 +0200 [thread overview]
Message-ID: <64cdb2e7-324e-d6c0-566e-e72905711610@redhat.com> (raw)
In-Reply-To: <20230116204232.1142442-1-mcascell@redhat.com>
On 16/01/2023 21.42, Mauro Matteo Cascella wrote:
> This prevents the well known DMA-MMIO reentrancy problem (upstream issue #556)
> leading to memory corruption bugs like stack overflow or use-after-free.
>
> Fixes: CVE-2023-0330
> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
> Reported-by: Zheyu Ma <zheyuma97@gmail.com>
> ---
Since the generic reentrancy guard apparently cannot be used for the lsi
controller (see commit bfd6e7ae6a72b8), I had a try with this patch, ... but
it seems this breaks the LSI driver of Linux.
I ran QEMU like this:
./qemu-system-x86_64 -accel kvm -m 2G -machine q35 \
-device lsi53c810,id=lsi1 -device scsi-hd,drive=d0 \
-drive if=none,id=d0,file=.../somedisk.qcow2 \
-cdrom Fedora-Everything-netinst-i386-25-1.3.iso
then booted into the rescue shell of the ISO image, and I was not able to
mount a partition from somedisk.qcow2 anymore. And there were lots of error
messages related to 53c8... in the "dmesg" output.
It seems like we indeed need some levels of reentrancy here and cannot
simply disable it completely.
But maybe we can block it at another level. I'll try to come up with a patch...
Thomas
prev parent reply other threads:[~2023-05-16 9:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-16 20:42 [PATCH] scsi/lsi53c895a: restrict DMA engine to memory regions (CVE-2023-0330) Mauro Matteo Cascella
2023-01-16 21:50 ` Mauro Matteo Cascella
2023-03-17 18:18 ` Karl Heubaum
2023-03-17 21:59 ` Philippe Mathieu-Daudé
2023-03-24 11:00 ` Mauro Matteo Cascella
2023-03-24 11:37 ` Alexander Bulekov
2023-05-16 9:46 ` Thomas Huth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64cdb2e7-324e-d6c0-566e-e72905711610@redhat.com \
--to=thuth@redhat.com \
--cc=alxndr@bu.edu \
--cc=fam@euphon.net \
--cc=mcascell@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=zheyuma97@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).