From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH 2/3] VT-d: suppress UR signaling for desktop chipsets Date: Mon, 7 Apr 2014 13:21:16 +0100 Message-ID: <5342983C.6050102@citrix.com> References: <533D471D0200007800005104@nat28.tlf.novell.com> <533D48AA0200007800005124@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6412641985497649010==" Return-path: Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WX8YD-0006xg-EI for xen-devel@lists.xenproject.org; Mon, 07 Apr 2014 12:21:21 +0000 In-Reply-To: <533D48AA0200007800005124@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich Cc: Keir Fraser , Asit K Mallick , Donald D Dugger , Jun Nakajima , xen-devel , xiantao.zhang@intel.com List-Id: xen-devel@lists.xenproject.org --===============6412641985497649010== Content-Type: multipart/alternative; boundary="------------030105080702020300080007" --------------030105080702020300080007 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit On 03/04/14 10:40, Jan Beulich wrote: > Unsupported Requests can be signaled for malformed writes to the MSI > address region, e.g. due to buggy or malicious DMA set up to that > region. These should normally result in IOMMU faults, but don't on > the desktop chipsets dealt with here. > > This is CVE-2013-3495 / XSA-59. > > Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper > > --- a/xen/drivers/passthrough/vtd/quirks.c > +++ b/xen/drivers/passthrough/vtd/quirks.c > @@ -392,6 +392,8 @@ void __init pci_vtd_quirk(struct pci_dev > int func = PCI_FUNC(pdev->devfn); > int pos; > u32 val; > + u64 bar; > + paddr_t pa; > > if ( pci_conf_read16(seg, bus, dev, func, PCI_VENDOR_ID) != 0x8086 ) > return; > @@ -452,5 +454,33 @@ void __init pci_vtd_quirk(struct pci_dev > printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n", > seg, bus, dev, func); > break; > + > + case 0x100: case 0x104: case 0x108: /* Sandybridge */ > + case 0x150: case 0x154: case 0x158: /* Ivybridge */ > + case 0xa04: /* Haswell ULT */ > + case 0xc00: case 0xc04: case 0xc08: /* Haswell */ > + bar = pci_conf_read32(seg, bus, dev, func, 0x6c); > + bar = (bar << 32) | pci_conf_read32(seg, bus, dev, func, 0x68); > + pa = bar & 0x7fffff000; /* bits 12...38 */ > + if ( (bar & 1) && pa && > + page_is_ram_type(paddr_to_pfn(pa), RAM_TYPE_RESERVED) ) > + { > + u32 __iomem *va = ioremap(pa, PAGE_SIZE); > + > + if ( va ) > + { > + __set_bit(0x1c8 * 8 + 20, va); > + iounmap(va); > + printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n", > + seg, bus, dev, func); > + } > + else > + printk(XENLOG_ERR "Could not map %"PRIpaddr" for %04x:%02x:%02x.%u\n", > + pa, seg, bus, dev, func); > + } > + else > + printk(XENLOG_WARNING "Bogus DMIBAR %#"PRIx64" on %04x:%02x:%02x.%u\n", > + bar, seg, bus, dev, func); > + break; > } > } > > > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel --------------030105080702020300080007 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit
On 03/04/14 10:40, Jan Beulich wrote:
Unsupported Requests can be signaled for malformed writes to the MSI
address region, e.g. due to buggy or malicious DMA set up to that
region. These should normally result in IOMMU faults, but don't on
the desktop chipsets dealt with here.

This is CVE-2013-3495 / XSA-59.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>


--- a/xen/drivers/passthrough/vtd/quirks.c
+++ b/xen/drivers/passthrough/vtd/quirks.c
@@ -392,6 +392,8 @@ void __init pci_vtd_quirk(struct pci_dev
     int func = PCI_FUNC(pdev->devfn);
     int pos;
     u32 val;
+    u64 bar;
+    paddr_t pa;
 
     if ( pci_conf_read16(seg, bus, dev, func, PCI_VENDOR_ID) != 0x8086 )
         return;
@@ -452,5 +454,33 @@ void __init pci_vtd_quirk(struct pci_dev
         printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n",
                seg, bus, dev, func);
         break;
+
+    case 0x100: case 0x104: case 0x108: /* Sandybridge */
+    case 0x150: case 0x154: case 0x158: /* Ivybridge */
+    case 0xa04: /* Haswell ULT */
+    case 0xc00: case 0xc04: case 0xc08: /* Haswell */
+        bar = pci_conf_read32(seg, bus, dev, func, 0x6c);
+        bar = (bar << 32) | pci_conf_read32(seg, bus, dev, func, 0x68);
+        pa = bar & 0x7fffff000; /* bits 12...38 */
+        if ( (bar & 1) && pa &&
+             page_is_ram_type(paddr_to_pfn(pa), RAM_TYPE_RESERVED) )
+        {
+            u32 __iomem *va = ioremap(pa, PAGE_SIZE);
+
+            if ( va )
+            {
+                __set_bit(0x1c8 * 8 + 20, va);
+                iounmap(va);
+                printk(XENLOG_INFO "Masked UR signaling on %04x:%02x:%02x.%u\n",
+                       seg, bus, dev, func);
+            }
+            else
+                printk(XENLOG_ERR "Could not map %"PRIpaddr" for %04x:%02x:%02x.%u\n",
+                       pa, seg, bus, dev, func);
+        }
+        else
+            printk(XENLOG_WARNING "Bogus DMIBAR %#"PRIx64" on %04x:%02x:%02x.%u\n",
+                   bar, seg, bus, dev, func);
+        break;
     }
 }






_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--------------030105080702020300080007-- --===============6412641985497649010== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============6412641985497649010==--