lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 8 Apr 2019 06:47:00 -0700
From:   Guenter Roeck <linux@...ck-us.net>
To:     John Garry <john.garry@...wei.com>,
        Bjorn Helgaas <helgaas@...nel.org>
Cc:     wangkefeng.wang@...wei.com, lorenzo.pieralisi@....com,
        arnd@...db.de, rafael@...nel.org, linux-pci@...r.kernel.org,
        will.deacon@....com, linux-kernel@...r.kernel.org,
        linuxarm@...wei.com, andy.shevchenko@...il.com,
        catalin.marinas@....com, bp@...e.de,
        linux-arm-kernel@...ts.infradead.org,
        Hardware Monitoring <linux-hwmon@...r.kernel.org>
Subject: Re: [PATCH v3 3/4] lib: logic_pio: Reject accesses to unregistered
 CPU MMIO regions

On 4/8/19 1:19 AM, John Garry wrote:
> On 05/04/2019 19:29, Guenter Roeck wrote:
>> On Fri, Apr 05, 2019 at 01:06:15PM -0500, Bjorn Helgaas wrote:
>>> On Fri, Apr 05, 2019 at 09:10:27AM +0100, John Garry wrote:
>>>> On 04/04/2019 19:58, Bjorn Helgaas wrote:
>>>>> On Thu, Apr 04, 2019 at 10:43:36AM -0700, Guenter Roeck wrote:
>>>>>> On Thu, Apr 04, 2019 at 05:52:35PM +0100, John Garry wrote:
>>>>>>>>> Note that the f71805f driver does not call
>>>>>>>>> request_{muxed_}region(), as it should.
>>>>>>>
>>>>>>>> ... which is the real problem, one that is not solved by this
>>>>>>>> patch. This may result in parallel and descructive accesses if
>>>>>>>> there is another device on the LPC bus, and another driver
>>>>>>>> accessing that device. Personally I'd rather have
>>>>>>>> request_muxed_region() added to the f71805f driver.
>>>>>>>
>>>>>>> Right, we should and will still fix f71805f. If you recall, I did
>>>>>>> have the f71805f fix in the v1 series, but you committed that it
>>>>>>> was orthogonal, so I decided to take it out of this work for now.
>>>>>>>
>>>>>>> And even if we fix up f71805f and other known drivers which don't
>>>>>>> call request_muxed_region(), we still need to police against these
>>>>>>> rogue accesses, which is what this patch attempts to do.
>>>>>>>
>>>>>> Do we ? I am personally not convinced that LPC accesses _have_ to
>>>>>> occur through PCI on any given system.
>>>>>
>>>>> On current systems, I suspect ISA/LPC devices are typically connected
>>>>> via a PCI-to-ISA/LPC bridge.  But AFAIK there's no actual requirement
>>>>> for that bridge, and there certainly *were* systems with ISA devices
>>>>> but no PCI at all.
>>>>>
>>>>> IMO, if you want to build ISA drivers on your arch, you need to make
>>>>> sure the inb() probing done by those drivers works like it does on
>>>>> x86.  If there's no device there, the inb() should return 0xff with no
>>>>> fuss and no crash.
>>>>
>>>> Right, and this is what I am attempting to do here.
>>>>
>>>> So today a call to request_muxed_region() can still succeed even if no IO
>>>> space mapped.
>>>>
>>>> As such, even well-behaved drivers like f71882fg can still crash the system,
>>>> as noted in RFC patch 1/4 ("resource: Request IO port regions from children
>>>> of ioport_resource").
>>>
>>> Maybe I'm missing something, but on x86, drivers like f71882fg do not
>>> crash the system because inb() *never* causes a crash.
>>>
>>> If you want to build that driver for ARM, I think you need to make
>>> sure that inb() on ARM also *never* causes a crash.  I don't think
>>> changing f71882fg and all the similar drivers is the right answer.
>>>
>>
>> Agreed. As I had mentioned earlier, the driver changes are orthogonal:
>> the drivers should request the IO region before accessing it, primarily
>> to avoid conflicting accesses by multiple drivers in parallel. For
>> example, the f71882fg driver supports chips which implement hardware
>> monitoring as well as watchdog functionality, and both the hwmon
>> and the watchdog driver may try to access the io space.
>>
>> If and how the system ensures that the IO region exists and/or that
>> inb() always succeeds is a different question. I would prefer a less
>> complex solution than the one suggested here, but that is my personal
>> opionion.
> 
> Hi Guenter,
> 
> I have a question about these super-IO accesses:
> 
> To me, it's not good that these hwmon, watchdog, gpio, etc drivers make unconstrained accesses to 0x2e and 0x4e ports (ignoring the request_muxed_region() call).
> 
> The issue I see is that on an arm, IO space for some other device may be mapped in this region, so it would not be right for these drivers to access those same regions.
> 
Yes, but then there _could_ be some arm or arm64 device supporting one of those chips,
so we can not just add something like "depends on !(ARM || ARM64)".

> Is there any other platform check which can be made to ensure that accesses these super-IO ports is appropriate?
> 

Not that I know of. It would make some sense to provide API functions
for Super-IO accesses, but that would be a lot of work, and I guess
it isn't really valuable enough for anyone to pick up and do.

Normally, if you have such a system, the respective drivers should not be
built. After all, this isn't the only instance where drivers unconditionally
access some io region, no matter if the underlying hardware exists or not.
The only real defense against that is to not build those drivers into
a given kernel.

Guenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ