lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 11 Jun 2020 13:02:24 -0700
From:   Jacob Pan <jacob.jun.pan@...ux.intel.com>
To:     Alex Williamson <alex.williamson@...hat.com>
Cc:     iommu@...ts.linux-foundation.org,
        LKML <linux-kernel@...r.kernel.org>,
        "Lu Baolu" <baolu.lu@...ux.intel.com>,
        Joerg Roedel <joro@...tes.org>,
        David Woodhouse <dwmw2@...radead.org>,
        Yi Liu <yi.l.liu@...el.com>,
        "Tian, Kevin" <kevin.tian@...el.com>,
        Raj Ashok <ashok.raj@...el.com>,
        "Christoph Hellwig" <hch@...radead.org>,
        Jean-Philippe Brucker <jean-philippe@...aro.com>,
        Eric Auger <eric.auger@...hat.com>,
        Jonathan Corbet <corbet@....net>, jacob.jun.pan@...ux.intel.com
Subject: Re: [PATCH v2 3/3] iommu/vt-d: Sanity check uapi argsz filled by
 users

On Thu, 11 Jun 2020 11:08:16 -0600
Alex Williamson <alex.williamson@...hat.com> wrote:

> On Wed, 10 Jun 2020 21:12:15 -0700
> Jacob Pan <jacob.jun.pan@...ux.intel.com> wrote:
> 
> > IOMMU UAPI data has an argsz field which is filled by user. As the
> > data structures expands, argsz may change. As the UAPI data are
> > shared among different architectures, extensions of UAPI data could
> > be a result of one architecture which has no impact on another.
> > Therefore, these argsz santity checks are performed in the model
> > specific IOMMU drivers. This patch adds sanity checks in the VT-d
> > to ensure argsz passed by userspace matches feature flags and other
> > contents.
> > 
> > Signed-off-by: Jacob Pan <jacob.jun.pan@...ux.intel.com>
> > ---
> >  drivers/iommu/intel-iommu.c | 16 ++++++++++++++++
> >  drivers/iommu/intel-svm.c   | 12 ++++++++++++
> >  2 files changed, 28 insertions(+)
> > 
> > diff --git a/drivers/iommu/intel-iommu.c
> > b/drivers/iommu/intel-iommu.c index 27ebf4b9faef..c98b5109684b
> > 100644 --- a/drivers/iommu/intel-iommu.c
> > +++ b/drivers/iommu/intel-iommu.c
> > @@ -5365,6 +5365,7 @@ intel_iommu_sva_invalidate(struct
> > iommu_domain *domain, struct device *dev, struct device_domain_info
> > *info; struct intel_iommu *iommu;
> >  	unsigned long flags;
> > +	unsigned long minsz;
> >  	int cache_type;
> >  	u8 bus, devfn;
> >  	u16 did, sid;
> > @@ -5385,6 +5386,21 @@ intel_iommu_sva_invalidate(struct
> > iommu_domain *domain, struct device *dev, if (!(dmar_domain->flags
> > & DOMAIN_FLAG_NESTING_MODE)) return -EINVAL;
> >  
> > +	minsz = offsetofend(struct iommu_cache_invalidate_info,
> > padding);  
> 
> Would it still be better to look for the end of the last field that's
> actually used to avoid the code churn and oversights if/when the
> padding field does get used and renamed?
> 
My thought was that if the padding gets partially re-purposed, the
remaining padding would still be valid for minsz check. The extension
rule ensures that there is no size change other the variable size union
at the end. So use padding would avoid the churn, or i am totally wrong?

> Per my comment on patch 1/, this also seems like where the device
> specific IOMMU driver should also have the responsibility of receiving
> a __user pointer to do the copy_from_user() here.  vfio can't know
> which flags require which fields to make a UAPI with acceptable
> compatibility guarantees otherwise.
> 
Right, VFIO cannot do compatibility guarantees, it is just seem to be
that VFIO has enough information to copy_from_user sanely & safely and
handle over to IOMMU. Please help define the roles/responsibilities in
my other email. Then I will follow the guideline.

> > +	if (inv_info->argsz < minsz)
> > +		return -EINVAL;
> > +
> > +	/* Sanity check user filled invalidation dat sizes */
> > +	if (inv_info->granularity == IOMMU_INV_GRANU_ADDR &&
> > +		inv_info->argsz != offsetofend(struct
> > iommu_cache_invalidate_info,
> > +					addr_info))
> > +		return -EINVAL;
> > +
> > +	if (inv_info->granularity == IOMMU_INV_GRANU_PASID &&
> > +		inv_info->argsz != offsetofend(struct
> > iommu_cache_invalidate_info,
> > +					pasid_info))
> > +		return -EINVAL;
> > +
> >  	spin_lock_irqsave(&device_domain_lock, flags);
> >  	spin_lock(&iommu->lock);
> >  	info = get_domain_info(dev);
> > diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
> > index 35b43fe819ed..64dc2c66dfff 100644
> > --- a/drivers/iommu/intel-svm.c
> > +++ b/drivers/iommu/intel-svm.c
> > @@ -235,15 +235,27 @@ int intel_svm_bind_gpasid(struct iommu_domain
> > *domain, struct device *dev, struct dmar_domain *dmar_domain;
> >  	struct intel_svm_dev *sdev;
> >  	struct intel_svm *svm;
> > +	unsigned long minsz;
> >  	int ret = 0;
> >  
> >  	if (WARN_ON(!iommu) || !data)
> >  		return -EINVAL;
> >  
> > +	/*
> > +	 * We mandate that no size change in IOMMU UAPI data
> > before the
> > +	 * variable size union at the end.
> > +	 */
> > +	minsz = offsetofend(struct iommu_gpasid_bind_data,
> > padding);  
> 
> Same.  Thanks,
> 
> Alex
> 
> > +	if (data->argsz < minsz)
> > +		return -EINVAL;
> > +
> >  	if (data->version != IOMMU_GPASID_BIND_VERSION_1 ||
> >  	    data->format != IOMMU_PASID_FORMAT_INTEL_VTD)
> >  		return -EINVAL;
> >  
> > +	if (data->argsz != offsetofend(struct
> > iommu_gpasid_bind_data, vtd))
> > +		return -EINVAL;
> > +
> >  	if (!dev_is_pci(dev))
> >  		return -ENOTSUPP;
> >    
> 

[Jacob Pan]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ