lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 11 Jun 2020 11:08:16 -0600
From:   Alex Williamson <alex.williamson@...hat.com>
To:     Jacob Pan <jacob.jun.pan@...ux.intel.com>
Cc:     iommu@...ts.linux-foundation.org,
        LKML <linux-kernel@...r.kernel.org>,
        "Lu Baolu" <baolu.lu@...ux.intel.com>,
        Joerg Roedel <joro@...tes.org>,
        David Woodhouse <dwmw2@...radead.org>,
        Yi Liu <yi.l.liu@...el.com>,
        "Tian, Kevin" <kevin.tian@...el.com>,
        Raj Ashok <ashok.raj@...el.com>,
        "Christoph Hellwig" <hch@...radead.org>,
        Jean-Philippe Brucker <jean-philippe@...aro.com>,
        Eric Auger <eric.auger@...hat.com>,
        Jonathan Corbet <corbet@....net>
Subject: Re: [PATCH v2 3/3] iommu/vt-d: Sanity check uapi argsz filled by
 users

On Wed, 10 Jun 2020 21:12:15 -0700
Jacob Pan <jacob.jun.pan@...ux.intel.com> wrote:

> IOMMU UAPI data has an argsz field which is filled by user. As the data
> structures expands, argsz may change. As the UAPI data are shared among
> different architectures, extensions of UAPI data could be a result of
> one architecture which has no impact on another. Therefore, these argsz
> santity checks are performed in the model specific IOMMU drivers. This
> patch adds sanity checks in the VT-d to ensure argsz passed by userspace
> matches feature flags and other contents.
> 
> Signed-off-by: Jacob Pan <jacob.jun.pan@...ux.intel.com>
> ---
>  drivers/iommu/intel-iommu.c | 16 ++++++++++++++++
>  drivers/iommu/intel-svm.c   | 12 ++++++++++++
>  2 files changed, 28 insertions(+)
> 
> diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c
> index 27ebf4b9faef..c98b5109684b 100644
> --- a/drivers/iommu/intel-iommu.c
> +++ b/drivers/iommu/intel-iommu.c
> @@ -5365,6 +5365,7 @@ intel_iommu_sva_invalidate(struct iommu_domain *domain, struct device *dev,
>  	struct device_domain_info *info;
>  	struct intel_iommu *iommu;
>  	unsigned long flags;
> +	unsigned long minsz;
>  	int cache_type;
>  	u8 bus, devfn;
>  	u16 did, sid;
> @@ -5385,6 +5386,21 @@ intel_iommu_sva_invalidate(struct iommu_domain *domain, struct device *dev,
>  	if (!(dmar_domain->flags & DOMAIN_FLAG_NESTING_MODE))
>  		return -EINVAL;
>  
> +	minsz = offsetofend(struct iommu_cache_invalidate_info, padding);

Would it still be better to look for the end of the last field that's
actually used to avoid the code churn and oversights if/when the padding
field does get used and renamed?

Per my comment on patch 1/, this also seems like where the device
specific IOMMU driver should also have the responsibility of receiving
a __user pointer to do the copy_from_user() here.  vfio can't know
which flags require which fields to make a UAPI with acceptable
compatibility guarantees otherwise.

> +	if (inv_info->argsz < minsz)
> +		return -EINVAL;
> +
> +	/* Sanity check user filled invalidation dat sizes */
> +	if (inv_info->granularity == IOMMU_INV_GRANU_ADDR &&
> +		inv_info->argsz != offsetofend(struct iommu_cache_invalidate_info,
> +					addr_info))
> +		return -EINVAL;
> +
> +	if (inv_info->granularity == IOMMU_INV_GRANU_PASID &&
> +		inv_info->argsz != offsetofend(struct iommu_cache_invalidate_info,
> +					pasid_info))
> +		return -EINVAL;
> +
>  	spin_lock_irqsave(&device_domain_lock, flags);
>  	spin_lock(&iommu->lock);
>  	info = get_domain_info(dev);
> diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
> index 35b43fe819ed..64dc2c66dfff 100644
> --- a/drivers/iommu/intel-svm.c
> +++ b/drivers/iommu/intel-svm.c
> @@ -235,15 +235,27 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev,
>  	struct dmar_domain *dmar_domain;
>  	struct intel_svm_dev *sdev;
>  	struct intel_svm *svm;
> +	unsigned long minsz;
>  	int ret = 0;
>  
>  	if (WARN_ON(!iommu) || !data)
>  		return -EINVAL;
>  
> +	/*
> +	 * We mandate that no size change in IOMMU UAPI data before the
> +	 * variable size union at the end.
> +	 */
> +	minsz = offsetofend(struct iommu_gpasid_bind_data, padding);

Same.  Thanks,

Alex

> +	if (data->argsz < minsz)
> +		return -EINVAL;
> +
>  	if (data->version != IOMMU_GPASID_BIND_VERSION_1 ||
>  	    data->format != IOMMU_PASID_FORMAT_INTEL_VTD)
>  		return -EINVAL;
>  
> +	if (data->argsz != offsetofend(struct iommu_gpasid_bind_data, vtd))
> +		return -EINVAL;
> +
>  	if (!dev_is_pci(dev))
>  		return -ENOTSUPP;
>  

Powered by blists - more mailing lists