From: Andi Kleen <ak@linux.intel.com>
To: Konrad Rzeszutek Wilk <konrad@darnok.org>
Cc: sathyanarayanan.kuppuswamy@linux.intel.com, mst@redhat.com,
x86@kernel.org, linux-kernel@vger.kernel.org,
virtualization@lists.linux-foundation.org,
iommu@lists.linux-foundation.org, jpoimboe@redhat.com,
robin.murphy@arm.com, hch@lst.de, m.szyprowski@samsung.com
Subject: Re: [PATCH v1 5/8] dma: Use size for swiotlb boundary checks
Date: Wed, 2 Jun 2021 19:03:47 -0700 [thread overview]
Message-ID: <665925d2-d6d5-218f-15f8-c6c5abaaba40@linux.intel.com> (raw)
In-Reply-To: <YLg096ycQ60lcuHe@localhost.localdomain>
On 6/2/2021 6:48 PM, Konrad Rzeszutek Wilk wrote:
> On Wed, Jun 02, 2021 at 05:41:30PM -0700, Andi Kleen wrote:
>> swiotlb currently only uses the start address of a DMA to check if something
>> is in the swiotlb or not. But with virtio and untrusted hosts the host
>> could give some DMA mapping that crosses the swiotlb boundaries,
>> potentially leaking or corrupting data. Add size checks to all the swiotlb
>> checks and reject any DMAs that cross the swiotlb buffer boundaries.
> I seem to be only CC-ed on this and #7, so please bear with me.
You weren't cc'ed originally so if you get partial emails it must be
through some list.
>
> But could you explain to me why please:
>
> commit daf9514fd5eb098d7d6f3a1247cb8cc48fc94155 (swiotlb/stable/for-linus-5.12)
> Author: Martin Radev <martin.b.radev@gmail.com>
> Date: Tue Jan 12 16:07:29 2021 +0100
>
> swiotlb: Validate bounce size in the sync/unmap path
>
> does not solve the problem as well?
Thanks. I missed that patch, race condition.
One major difference of my patch is that it supports an error return,
which allows virtio to error out. This is important in virtio because
otherwise you'll end up with uninitialized memory on the target without
any indication. This uninitialized memory could be an potential attack
vector on the guest memory, e.g. if the attacker finds some way to echo
it out again.
But the error return could be added to your infrastructure too and what
would make this patch much shorter. I'll take a look at that.
-Andi
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
next prev parent reply other threads:[~2021-06-03 2:03 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-03 0:41 Virtio hardening for TDX Andi Kleen
2021-06-03 0:41 ` [PATCH v1 1/8] virtio: Force only split mode with protected guest Andi Kleen
2021-06-03 1:36 ` Jason Wang
2021-06-03 1:48 ` Andi Kleen
2021-06-03 2:32 ` Jason Wang
2021-06-03 2:56 ` Andi Kleen
2021-06-03 3:02 ` Jason Wang
2021-06-03 13:55 ` Andi Kleen
2021-06-04 2:29 ` Jason Wang
2021-06-03 17:33 ` Andy Lutomirski
2021-06-03 18:00 ` Andi Kleen
2021-06-03 19:31 ` Andy Lutomirski
2021-06-03 19:53 ` Andi Kleen
2021-06-03 22:17 ` Andy Lutomirski
2021-06-03 23:32 ` Andi Kleen
2021-06-04 1:46 ` Andy Lutomirski
2021-06-04 1:54 ` Andi Kleen
2021-06-04 1:22 ` Jason Wang
2021-06-04 1:29 ` Jason Wang
2021-06-04 2:20 ` Jason Wang
2021-06-03 0:41 ` [PATCH v1 2/8] virtio: Add boundary checks to virtio ring Andi Kleen
2021-06-03 2:14 ` Jason Wang
2021-06-03 2:18 ` Andi Kleen
2021-06-03 2:36 ` Jason Wang
2021-06-03 0:41 ` [PATCH v1 3/8] virtio: Harden split buffer detachment Andi Kleen
2021-06-03 2:29 ` Jason Wang
2021-06-03 0:41 ` [PATCH v1 4/8] x86/tdx: Add arch_has_restricted_memory_access for TDX Andi Kleen
2021-06-03 0:41 ` [PATCH v1 5/8] dma: Use size for swiotlb boundary checks Andi Kleen
2021-06-03 1:48 ` Konrad Rzeszutek Wilk
2021-06-03 2:03 ` Andi Kleen [this message]
2021-06-03 9:09 ` Robin Murphy
2021-06-03 0:41 ` [PATCH v1 6/8] dma: Add return value to dma_unmap_page Andi Kleen
2021-06-03 9:08 ` Robin Murphy
2021-06-03 12:36 ` Andi Kleen
2021-06-03 0:41 ` [PATCH v1 7/8] virtio: Abort IO when descriptor points outside forced swiotlb Andi Kleen
2021-06-03 0:41 ` [PATCH v1 8/8] virtio: Error out on endless free lists Andi Kleen
2021-06-03 1:34 ` Virtio hardening for TDX Jason Wang
2021-06-03 1:56 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=665925d2-d6d5-218f-15f8-c6c5abaaba40@linux.intel.com \
--to=ak@linux.intel.com \
--cc=hch@lst.de \
--cc=iommu@lists.linux-foundation.org \
--cc=jpoimboe@redhat.com \
--cc=konrad@darnok.org \
--cc=linux-kernel@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=mst@redhat.com \
--cc=robin.murphy@arm.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).