lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Jun 2020 11:08:16 -0600 From: Alex Williamson <alex.williamson@...hat.com> To: Jacob Pan <jacob.jun.pan@...ux.intel.com> Cc: iommu@...ts.linux-foundation.org, LKML <linux-kernel@...r.kernel.org>, "Lu Baolu" <baolu.lu@...ux.intel.com>, Joerg Roedel <joro@...tes.org>, David Woodhouse <dwmw2@...radead.org>, Yi Liu <yi.l.liu@...el.com>, "Tian, Kevin" <kevin.tian@...el.com>, Raj Ashok <ashok.raj@...el.com>, "Christoph Hellwig" <hch@...radead.org>, Jean-Philippe Brucker <jean-philippe@...aro.com>, Eric Auger <eric.auger@...hat.com>, Jonathan Corbet <corbet@....net> Subject: Re: [PATCH v2 3/3] iommu/vt-d: Sanity check uapi argsz filled by users On Wed, 10 Jun 2020 21:12:15 -0700 Jacob Pan <jacob.jun.pan@...ux.intel.com> wrote: > IOMMU UAPI data has an argsz field which is filled by user. As the data > structures expands, argsz may change. As the UAPI data are shared among > different architectures, extensions of UAPI data could be a result of > one architecture which has no impact on another. Therefore, these argsz > santity checks are performed in the model specific IOMMU drivers. This > patch adds sanity checks in the VT-d to ensure argsz passed by userspace > matches feature flags and other contents. > > Signed-off-by: Jacob Pan <jacob.jun.pan@...ux.intel.com> > --- > drivers/iommu/intel-iommu.c | 16 ++++++++++++++++ > drivers/iommu/intel-svm.c | 12 ++++++++++++ > 2 files changed, 28 insertions(+) > > diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c > index 27ebf4b9faef..c98b5109684b 100644 > --- a/drivers/iommu/intel-iommu.c > +++ b/drivers/iommu/intel-iommu.c > @@ -5365,6 +5365,7 @@ intel_iommu_sva_invalidate(struct iommu_domain *domain, struct device *dev, > struct device_domain_info *info; > struct intel_iommu *iommu; > unsigned long flags; > + unsigned long minsz; > int cache_type; > u8 bus, devfn; > u16 did, sid; > @@ -5385,6 +5386,21 @@ intel_iommu_sva_invalidate(struct iommu_domain *domain, struct device *dev, > if (!(dmar_domain->flags & DOMAIN_FLAG_NESTING_MODE)) > return -EINVAL; > > + minsz = offsetofend(struct iommu_cache_invalidate_info, padding); Would it still be better to look for the end of the last field that's actually used to avoid the code churn and oversights if/when the padding field does get used and renamed? Per my comment on patch 1/, this also seems like where the device specific IOMMU driver should also have the responsibility of receiving a __user pointer to do the copy_from_user() here. vfio can't know which flags require which fields to make a UAPI with acceptable compatibility guarantees otherwise. > + if (inv_info->argsz < minsz) > + return -EINVAL; > + > + /* Sanity check user filled invalidation dat sizes */ > + if (inv_info->granularity == IOMMU_INV_GRANU_ADDR && > + inv_info->argsz != offsetofend(struct iommu_cache_invalidate_info, > + addr_info)) > + return -EINVAL; > + > + if (inv_info->granularity == IOMMU_INV_GRANU_PASID && > + inv_info->argsz != offsetofend(struct iommu_cache_invalidate_info, > + pasid_info)) > + return -EINVAL; > + > spin_lock_irqsave(&device_domain_lock, flags); > spin_lock(&iommu->lock); > info = get_domain_info(dev); > diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c > index 35b43fe819ed..64dc2c66dfff 100644 > --- a/drivers/iommu/intel-svm.c > +++ b/drivers/iommu/intel-svm.c > @@ -235,15 +235,27 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev, > struct dmar_domain *dmar_domain; > struct intel_svm_dev *sdev; > struct intel_svm *svm; > + unsigned long minsz; > int ret = 0; > > if (WARN_ON(!iommu) || !data) > return -EINVAL; > > + /* > + * We mandate that no size change in IOMMU UAPI data before the > + * variable size union at the end. > + */ > + minsz = offsetofend(struct iommu_gpasid_bind_data, padding); Same. Thanks, Alex > + if (data->argsz < minsz) > + return -EINVAL; > + > if (data->version != IOMMU_GPASID_BIND_VERSION_1 || > data->format != IOMMU_PASID_FORMAT_INTEL_VTD) > return -EINVAL; > > + if (data->argsz != offsetofend(struct iommu_gpasid_bind_data, vtd)) > + return -EINVAL; > + > if (!dev_is_pci(dev)) > return -ENOTSUPP; >
Powered by blists - more mailing lists