lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 3 Aug 2020 09:29:13 +0800
From:   Jia-Ju Bai <baijiaju@...nghua.edu.cn>
To:     Zhou Wang <wangzhou1@...ilicon.com>, herbert@...dor.apana.org.au,
        davem@...emloft.net
Cc:     linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [BUG] crypto: hisilicon: accessing the data mapped to streaming
 DMA



On 2020/8/3 9:12, Zhou Wang wrote:
> On 2020/8/2 22:52, Jia-Ju Bai wrote:
>> In qm_qp_ctx_cfg(), "sqc" and "aeqc" are mapped to streaming DMA:
>>    eqc_dma = dma_map_single(..., eqc, ...);
>>    ......
>>    aeqc_dma = dma_map_single(..., aeqc, ...);
> Only sqc, cqc will be configured in qm_qp_ctx_cfg.
>
>> Then "sqc" and "aeqc" are accessed at many places, such as:
>>    eqc->base_l = cpu_to_le32(lower_32_bits(qm->eqe_dma));
>>    eqc->base_h = cpu_to_le32(upper_32_bits(qm->eqe_dma));
>>    ......
>>    aeqc->base_l = cpu_to_le32(lower_32_bits(qm->aeqe_dma));
>>    aeqc->base_h = cpu_to_le32(upper_32_bits(qm->aeqe_dma));
> There are sqc, cqc, eqc, aeqc, you seems misunderstand them.
>
>> These accesses may cause data inconsistency between CPU cache and hardware.
>>
>> I am not sure how to properly fix this problem, and thus I only report it.
> In qm_qp_ctx_cfg, sqc/cqc memory will be allocated and related mailbox will be sent
> to hardware. In qm_eq_ctx_cfg, eqc/aeqc related operations will be done.
>
> So there is no problem here :)

Ah, sorry, I misunderstood qm_eq_ctx_cfg() and qm_qp_ctx_cfg(), because their names are quite similar.
Now, I re-organize this report as follows:

In qm_eq_ctx_cfg(), "eqc" and "aeqc" are mapped to streaming DMA:
   eqc_dma = dma_map_single(..., eqc, ...);
   ......
   aeqc_dma = dma_map_single(..., aeqc, ...);

Then "sqc" and "aeqc" are accessed at some places in qm_eq_ctx_cfg(), such as:
   eqc->base_l = cpu_to_le32(lower_32_bits(qm->eqe_dma));
   eqc->base_h = cpu_to_le32(upper_32_bits(qm->eqe_dma));
   ......
   aeqc->base_l = cpu_to_le32(lower_32_bits(qm->aeqe_dma));
   aeqc->base_h = cpu_to_le32(upper_32_bits(qm->aeqe_dma));

These accesses may cause data inconsistency between CPU cache and hardware.

Besides, in qm_qp_ctx_cfg(), "sqc" and "cqc" are mapped to streaming DMA:
   sqc_dma = dma_map_single(..., sqc, ...);
   ......
   cqc_dma = dma_map_single(..., cqc, ...);


Then "sqc" and "cqc" are at some places in qm_qp_ctx_cfg(), such as:
   sqc->cq_num = cpu_to_le16(qp_id);
   sqc->w13 = cpu_to_le16(QM_MK_SQC_W13(0, 1, qp->alg_type));
   ......
   cqc->dw3 = cpu_to_le32(QM_MK_CQC_DW3_V2(4));
   cqc->w8 = 0;

These accesses may cause data inconsistency between CPU cache and hardware.

I think such problems (if they are real) can be fixed by finishing data assignment before DMA mapping.
  

Best wishes,
Jia-Ju Bai

Powered by blists - more mailing lists