| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9bb2fdd4-59c3-13e9-7c7d-65107be6a32d@free.fr>
Date: Tue, 23 May 2017 21:29:05 +0200
From: Mason <slash.tmp@...e.fr>
To: Bjorn Helgaas <helgaas@...nel.org>
Cc: Marc Gonzalez <marc_gonzalez@...madesigns.com>,
linux-pci <linux-pci@...r.kernel.org>,
Marc Zyngier <marc.zyngier@....com>,
Thomas Gleixner <tglx@...utronix.de>,
Robin Murphy <robin.murphy@....com>,
Lorenzo Pieralisi <lorenzo.pieralisi@....com>,
Liviu Dudau <liviu.dudau@....com>,
David Laight <david.laight@...lab.com>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
Thibaud Cornic <thibaud_cornic@...madesigns.com>,
Phuong Nguyen <phuong_nguyen@...madesigns.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v4 2/2] PCI: Add tango PCIe host bridge support
On 23/05/2017 20:35, Bjorn Helgaas wrote:
> On Tue, May 23, 2017 at 07:43:16PM +0200, Mason wrote:
>> On 23/05/2017 19:24, Bjorn Helgaas wrote:
>>> On Thu, Apr 20, 2017 at 04:31:25PM +0200, Marc Gonzalez wrote:
>>>> This driver is required to work around several hardware bugs in the
>>>> PCIe controller.
>>>>
>>>> NB: Revision 1 does not support legacy interrupts, or IO space.
>>>>
>>>> Signed-off-by: Marc Gonzalez <marc_gonzalez@...madesigns.com>
>>>> ---
>>>> Documentation/devicetree/bindings/pci/tango-pcie.txt | 32 ++++++++
>>>> drivers/pci/host/Kconfig | 8 ++
>>>> drivers/pci/host/Makefile | 1 +
>>>> drivers/pci/host/pcie-tango.c | 161 +++++++++++++++++++++++++++++++++++++++
>>>> include/linux/pci_ids.h | 2 +
>>>> 5 files changed, 204 insertions(+)
>>>> ...
>>>
>>>> +static int smp8759_config_read(struct pci_bus *bus,
>>>> + unsigned int devfn, int where, int size, u32 *val)
>>>> +{
>>>> + int ret;
>>>> + struct pci_config_window *cfg = bus->sysdata;
>>>> + struct tango_pcie *pcie = dev_get_drvdata(cfg->parent);
>>>> +
>>>> + /*
>>>> + * QUIRK #1
>>>> + * Reads in configuration space outside devfn 0 return garbage.
>>>> + */
>>>> + if (devfn != 0)
>>>> + return PCIBIOS_FUNC_NOT_SUPPORTED;
>>>> +
>>>> + /*
>>>> + * QUIRK #2
>>>> + * Unfortunately, config and mem spaces are muxed.
>>>> + * Linux does not support such a setting, since drivers are free
>>>> + * to access mem space directly, at any time.
>>>> + * Therefore, we can only PRAY that config and mem space accesses
>>>> + * NEVER occur concurrently.
>>>> + */
>>>> + writel_relaxed(1, pcie->mux);
>>>> + ret = pci_generic_config_read(bus, devfn, where, size, val);
>>>> + writel_relaxed(0, pcie->mux);
>>>
>>> This is a major issue and possibly even a security problem.
>>> Unprivileged users can cause config accesses via lspci/setpci.
>>
>> Since the host bridge doesn't support hotplug in any way,
>> how about setting a flag once enumeration is complete,
>> to prevent all future config accesses?
>
> I thought about that, too, but I'm not sure it will work becuase I
> think drivers will need to do at least a few config accesses, e.g.,
> pci_enable_device() may write PCI_COMMAND to set PCI_COMMAND_MEMORY,
> it may read PCI_INTERRUPT_PIN, etc. And MSI setup requires config
> access, too.
>
>>> I don't have a good suggestion for addressing it, but if you can't
>>> make this work reliably, you need at least a dev_err() in the probe
>>> function and probably a taint of the kernel (see add_taint()).
>>
>> There is a chance that the issue will get fixed in rev2
>> of the bridge. But obviously, that won't help for rev1
>> already in the wild.
>
> Hopefully there will be a way to distinguish rev2 from rev1.
rev2 is embedded in a new SoC, so the DT node will specify a
different compatible string. A "preview" of the intent was
given in an older patch:
"[RFC PATCH v0.2] PCI: Add support for tango PCIe host bridge"
Regards.
Powered by blists - more mailing lists