| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Aug 2020 12:03:56 +0200
From: Auger Eric <eric.auger@...hat.com>
To: "Liu, Yi L" <yi.l.liu@...el.com>,
Jacob Pan <jacob.jun.pan@...ux.intel.com>,
"iommu@...ts.linux-foundation.org" <iommu@...ts.linux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>,
Joerg Roedel <joro@...tes.org>,
Alex Williamson <alex.williamson@...hat.com>
Cc: Lu Baolu <baolu.lu@...ux.intel.com>,
David Woodhouse <dwmw2@...radead.org>,
"Tian, Kevin" <kevin.tian@...el.com>,
"Raj, Ashok" <ashok.raj@...el.com>,
Christoph Hellwig <hch@...radead.org>,
Jean-Philippe Brucker <jean-philippe@...aro.com>,
Jonathan Corbet <corbet@....net>
Subject: Re: [PATCH v7 6/7] iommu/uapi: Handle data and argsz filled by users
Hi Yi,
On 8/13/20 11:38 AM, Liu, Yi L wrote:
>> From: Auger Eric <eric.auger@...hat.com>
>> Sent: Thursday, August 13, 2020 5:31 PM
>>
>> Hi Yi,
>>
>> On 8/13/20 11:25 AM, Liu, Yi L wrote:
>>> Hi Eric,
>>>
>>>
>>>> From: Auger Eric <eric.auger@...hat.com>
>>>> Sent: Thursday, August 13, 2020 5:12 PM
>>>>
>>>> Hi Jacob,
>>>>
>>>> On 7/30/20 2:21 AM, Jacob Pan wrote:
>>>>> IOMMU user APIs are responsible for processing user data. This patch
>>>>> changes the interface such that user pointers can be passed into
>>>>> IOMMU code directly. Separate kernel APIs without user pointers are
>>>>> introduced for in-kernel users of the UAPI functionality.
>>>> This is just done for a single function, ie. iommu_sva_unbind_gpasid.
>>>>
>>>> If I am not wrong there is no user of this latter after applying the
>>>> whole series? If correct you may remove it at this stage?
>>>
>>> the user of this function is in vfio. And it is the same with
>>> iommu_uapi_sva_bind/unbind_gpasid() and iommu_uapi_cache_invalidate().
>>>
>>> https://lore.kernel.org/kvm/1595917664-33276-11-git-send-email-yi.l.li
>>> u@...el.com/
>>> https://lore.kernel.org/kvm/1595917664-33276-12-git-send-email-yi.l.li
>>> u@...el.com/
>> Yep I know ;-) But this series mostly deals with iommu uapi rework.
>> That's not a big deal though.
>
> I see. btw. it's great if you can take a look on vfio v6 to see if your comments
> are well addressed. :-)
Yep I will do asap
Thanks
Eric
>
> Regards,
> Yi Liu
>
>> Thanks
>>
>> Eric
>>>
>>> Regards,
>>> Yi Liu
>>>
>>>>>
>>>>> IOMMU UAPI data has a user filled argsz field which indicates the
>>>>> data length of the structure. User data is not trusted, argsz must
>>>>> be validated based on the current kernel data size, mandatory data
>>>>> size, and feature flags.
>>>>>
>>>>> User data may also be extended, resulting in possible argsz increase.
>>>>> Backward compatibility is ensured based on size and flags (or the
>>>>> functional equivalent fields) checking.
>>>>>
>>>>> This patch adds sanity checks in the IOMMU layer. In addition to
>>>>> argsz, reserved/unused fields in padding, flags, and version are also checked.
>>>>> Details are documented in Documentation/userspace-api/iommu.rst
>>>>>
>>>>> Signed-off-by: Liu Yi L <yi.l.liu@...el.com>
>>>>> Signed-off-by: Jacob Pan <jacob.jun.pan@...ux.intel.com>
>>>>> ---
>>>>> drivers/iommu/iommu.c | 201
>>>> ++++++++++++++++++++++++++++++++++++++++++++++++--
>>>>> include/linux/iommu.h | 28 ++++---
>>>>> 2 files changed, 212 insertions(+), 17 deletions(-)
>>>>>
>>>>> diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c index
>>>>> 3a913ce94a3d..1ee55c4b3a3a 100644
>>>>> --- a/drivers/iommu/iommu.c
>>>>> +++ b/drivers/iommu/iommu.c
>>>>> @@ -1950,33 +1950,218 @@ int iommu_attach_device(struct iommu_domain
>>>> *domain, struct device *dev)
>>>>> }
>>>>> EXPORT_SYMBOL_GPL(iommu_attach_device);
>>>>>
>>>>> +/*
>>>>> + * Check flags and other user provided data for valid combinations.
>>>>> +We also
>>>>> + * make sure no reserved fields or unused flags are set. This is to
>>>>> +ensure
>>>>> + * not breaking userspace in the future when these fields or flags are used.
>>>>> + */
>>>>> +static int iommu_check_cache_invl_data(struct
>>>>> +iommu_cache_invalidate_info
>>>> *info)
>>>>> +{
>>>>> + u32 mask;
>>>>> + int i;
>>>>> +
>>>>> + if (info->version != IOMMU_CACHE_INVALIDATE_INFO_VERSION_1)
>>>>> + return -EINVAL;
>>>>> +
>>>>> + mask = (1 << IOMMU_CACHE_INV_TYPE_NR) - 1;
>>>>> + if (info->cache & ~mask)
>>>>> + return -EINVAL;
>>>>> +
>>>>> + if (info->granularity >= IOMMU_INV_GRANU_NR)
>>>>> + return -EINVAL;
>>>>> +
>>>>> + switch (info->granularity) {
>>>>> + case IOMMU_INV_GRANU_ADDR:
>>>>> + if (info->cache & IOMMU_CACHE_INV_TYPE_PASID)
>>>>> + return -EINVAL;
>>>>> +
>>>>> + mask = IOMMU_INV_ADDR_FLAGS_PASID |
>>>>> + IOMMU_INV_ADDR_FLAGS_ARCHID |
>>>>> + IOMMU_INV_ADDR_FLAGS_LEAF;
>>>>> +
>>>>> + if (info->granu.addr_info.flags & ~mask)
>>>>> + return -EINVAL;
>>>>> + break;
>>>>> + case IOMMU_INV_GRANU_PASID:
>>>>> + mask = IOMMU_INV_PASID_FLAGS_PASID |
>>>>> + IOMMU_INV_PASID_FLAGS_ARCHID;
>>>>> + if (info->granu.pasid_info.flags & ~mask)
>>>>> + return -EINVAL;
>>>>> +
>>>>> + break;
>>>>> + case IOMMU_INV_GRANU_DOMAIN:
>>>>> + if (info->cache & IOMMU_CACHE_INV_TYPE_DEV_IOTLB)
>>>>> + return -EINVAL;
>>>>> + break;
>>>>> + default:
>>>>> + return -EINVAL;
>>>>> + }
>>>>> +
>>>>> + /* Check reserved padding fields */
>>>>> + for (i = 0; i < sizeof(info->padding); i++) {
>>>>> + if (info->padding[i])
>>>>> + return -EINVAL;
>>>>> + }
>>>>> +
>>>>> + return 0;
>>>>> +}
>>>>> +
>>>>> int iommu_uapi_cache_invalidate(struct iommu_domain *domain, struct
>>>>> device
>>>> *dev,
>>>>> - struct iommu_cache_invalidate_info *inv_info)
>>>>> + void __user *uinfo)
>>>>> {
>>>>> + struct iommu_cache_invalidate_info inv_info = { 0 };
>>>>> + u32 minsz;
>>>>> + int ret = 0;
>>>>> +
>>>>> if (unlikely(!domain->ops->cache_invalidate))
>>>>> return -ENODEV;
>>>>> > - return domain->ops->cache_invalidate(domain, dev, inv_info);
>>>>> + /*
>>>>> + * No new spaces can be added before the variable sized union, the
>>>>> + * minimum size is the offset to the union.
>>>>> + */
>>>>> + minsz = offsetof(struct iommu_cache_invalidate_info, granu);
>>>>> +
>>>>> + /* Copy minsz from user to get flags and argsz */
>>>>> + if (copy_from_user(&inv_info, uinfo, minsz))
>>>>> + return -EFAULT;
>>>>> +
>>>>> + /* Fields before variable size union is mandatory */
>>>>> + if (inv_info.argsz < minsz)
>>>>> + return -EINVAL;
>>>>> +
>>>>> + /* PASID and address granu require additional info beyond minsz */
>>>>> + if (inv_info.argsz == minsz &&
>>>>> + ((inv_info.granularity == IOMMU_INV_GRANU_PASID) ||
>>>>> + (inv_info.granularity == IOMMU_INV_GRANU_ADDR)))
>>>>> + return -EINVAL;
>>>>> +
>>>>> + if (inv_info.granularity == IOMMU_INV_GRANU_PASID &&
>>>>> + inv_info.argsz < offsetofend(struct
>>>>> +iommu_cache_invalidate_info,
>>>> granu.pasid_info))
>>>>> + return -EINVAL;
>>>>> +
>>>>> + if (inv_info.granularity == IOMMU_INV_GRANU_ADDR &&
>>>>> + inv_info.argsz < offsetofend(struct
>>>>> +iommu_cache_invalidate_info,
>>>> granu.addr_info))
>>>>> + return -EINVAL;
>>>>> +
>>>>> + /*
>>>>> + * User might be using a newer UAPI header which has a larger data
>>>>> + * size, we shall support the existing flags within the current
>>>>> + * size. Copy the remaining user data _after_ minsz but not more
>>>>> + * than the current kernel supported size.
>>>>> + */
>>>>> + if (copy_from_user((void *)&inv_info + minsz, uinfo + minsz,
>>>>> + min_t(u32, inv_info.argsz, sizeof(inv_info)) - minsz))
>>>>> + return -EFAULT;
>>>>> +
>>>>> + /* Now the argsz is validated, check the content */
>>>>> + ret = iommu_check_cache_invl_data(&inv_info);
>>>>> + if (ret)
>>>>> + return ret;
>>>>> +
>>>>> + return domain->ops->cache_invalidate(domain, dev, &inv_info);
>>>>> }
>>>>> EXPORT_SYMBOL_GPL(iommu_uapi_cache_invalidate);
>>>>>
>>>>> -int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain,
>>>>> - struct device *dev, struct iommu_gpasid_bind_data
>>>> *data)
>>>>> +static int iommu_check_bind_data(struct iommu_gpasid_bind_data
>>>>> +*data) {
>>>>> + u32 mask;
>>>>> + int i;
>>>>> +
>>>>> + if (data->version != IOMMU_GPASID_BIND_VERSION_1)
>>>>> + return -EINVAL;
>>>>> +
>>>>> + /* Check the range of supported formats */
>>>>> + if (data->format >= IOMMU_PASID_FORMAT_LAST)
>>>>> + return -EINVAL;
>>>>> +
>>>>> + /* Check all flags */
>>>>> + mask = IOMMU_SVA_GPASID_VAL;
>>>>> + if (data->flags & ~mask)
>>>>> + return -EINVAL;
>>>>> +
>>>>> + /* Check reserved padding fields */
>>>>> + for (i = 0; i < sizeof(data->padding); i++) {
>>>>> + if (data->padding[i])
>>>>> + return -EINVAL;
>>>>> + }
>>>>> +
>>>>> + return 0;
>>>>> +}
>>>>> +
>>>>> +static int iommu_sva_prepare_bind_data(void __user *udata,
>>>>> + struct iommu_gpasid_bind_data *data)
>>>>> {
>>>>> + u32 minsz;
>>>>> +
>>>>> + /*
>>>>> + * No new spaces can be added before the variable sized union, the
>>>>> + * minimum size is the offset to the union.
>>>>> + */
>>>>> + minsz = offsetof(struct iommu_gpasid_bind_data, vendor);
>>>>> +
>>>>> + /* Copy minsz from user to get flags and argsz */
>>>>> + if (copy_from_user(data, udata, minsz))
>>>>> + return -EFAULT;
>>>>> +
>>>>> + /* Fields before variable size union is mandatory */
>>>>> + if (data->argsz < minsz)
>>>>> + return -EINVAL;
>>>>> + /*
>>>>> + * User might be using a newer UAPI header, we shall let IOMMU vendor
>>>>> + * driver decide on what size it needs. Since the guest PASID bind data
>>>>> + * can be vendor specific, larger argsz could be the result of extension
>>>>> + * for one vendor but it should not affect another vendor.
>>>>> + * Copy the remaining user data _after_ minsz
>>>>> + */
>>>>> + if (copy_from_user((void *)data + minsz, udata + minsz,
>>>>> + min_t(u32, data->argsz, sizeof(*data)) - minsz))
>>>>> + return -EFAULT;
>>>>> +
>>>>> + return iommu_check_bind_data(data); }
>>>>> +
>>>>> +int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain, struct
>>>>> +device
>>>> *dev,
>>>>> + void __user *udata)
>>>>> +{
>>>>> + struct iommu_gpasid_bind_data data = { 0 };
>>>>> + int ret;
>>>>> +
>>>>> if (unlikely(!domain->ops->sva_bind_gpasid))
>>>>> return -ENODEV;
>>>>>
>>>>> - return domain->ops->sva_bind_gpasid(domain, dev, data);
>>>>> + ret = iommu_sva_prepare_bind_data(udata, &data);
>>>>> + if (ret)
>>>>> + return ret;
>>>>> +
>>>>> + return domain->ops->sva_bind_gpasid(domain, dev, &data);
>>>>> }
>>>>> EXPORT_SYMBOL_GPL(iommu_uapi_sva_bind_gpasid);
>>>>>
>>>>> -int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain,
>>>>> struct device
>>>> *dev,
>>>>> - ioasid_t pasid)
>>>>> +int iommu_sva_unbind_gpasid(struct iommu_domain *domain, struct device
>> *dev,
>>>>> + struct iommu_gpasid_bind_data *data)
>>>>> {
>>>>> if (unlikely(!domain->ops->sva_unbind_gpasid))
>>>>> return -ENODEV;
>>>>>
>>>>> - return domain->ops->sva_unbind_gpasid(dev, pasid);
>>>>> + return domain->ops->sva_unbind_gpasid(dev, data->hpasid); }
>>>>> +EXPORT_SYMBOL_GPL(iommu_sva_unbind_gpasid);
>>>>> +
>>>>> +int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain,
>>>>> +struct device
>>>> *dev,
>>>>> + void __user *udata)
>>>>> +{
>>>>> + struct iommu_gpasid_bind_data data = { 0 };
>>>>> + int ret;
>>>>> +
>>>>> + if (unlikely(!domain->ops->sva_bind_gpasid))
>>>>> + return -ENODEV;
>>>>> +
>>>>> + ret = iommu_sva_prepare_bind_data(udata, &data);
>>>>> + if (ret)
>>>>> + return ret;
>>>>> +
>>>>> + return iommu_sva_unbind_gpasid(domain, dev, &data);
>>>>> }
>>>>> EXPORT_SYMBOL_GPL(iommu_uapi_sva_unbind_gpasid);
>>>>>
>>>>> diff --git a/include/linux/iommu.h b/include/linux/iommu.h index
>>>>> 2dcc1a33f6dc..4a02c9e09048 100644
>>>>> --- a/include/linux/iommu.h
>>>>> +++ b/include/linux/iommu.h
>>>>> @@ -432,11 +432,14 @@ extern void iommu_detach_device(struct
>>>> iommu_domain *domain,
>>>>> struct device *dev);
>>>>> extern int iommu_uapi_cache_invalidate(struct iommu_domain *domain,
>>>>> struct device *dev,
>>>>> - struct iommu_cache_invalidate_info *inv_info);
>>>>> + void __user *uinfo);
>>>>> +
>>>>> extern int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain,
>>>>> - struct device *dev, struct
>>>> iommu_gpasid_bind_data *data);
>>>>> + struct device *dev, void __user *udata);
>>>>> extern int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain,
>>>>> - struct device *dev, ioasid_t pasid);
>>>>> + struct device *dev, void __user *udata);
>> extern int
>>>>> +iommu_sva_unbind_gpasid(struct iommu_domain *domain,
>>>>> + struct device *dev, struct
>>>> iommu_gpasid_bind_data *data);
>>>>> extern struct iommu_domain *iommu_get_domain_for_dev(struct device
>>>>> *dev); extern struct iommu_domain *iommu_get_dma_domain(struct
>>>>> device *dev); extern int iommu_map(struct iommu_domain *domain,
>>>>> unsigned long iova, @@ -1054,22 +1057,29 @@ static inline int
>>>>> iommu_sva_get_pasid(struct
>>>> iommu_sva *handle)
>>>>> return IOMMU_PASID_INVALID;
>>>>> }
>>>>>
>>>>> -static inline int iommu_uapi_cache_invalidate(struct iommu_domain *domain,
>>>>> - struct device *dev,
>>>>> - struct iommu_cache_invalidate_info
>>>> *inv_info)
>>>>> +static inline int
>>>>> +iommu_uapi_cache_invalidate(struct iommu_domain *domain,
>>>>> + struct device *dev,
>>>>> + struct iommu_cache_invalidate_info *inv_info)
>>>>> {
>>>>> return -ENODEV;
>>>>> }
>>>>>
>>>>> static inline int iommu_uapi_sva_bind_gpasid(struct iommu_domain *domain,
>>>>> - struct device *dev,
>>>>> - struct iommu_gpasid_bind_data *data)
>>>>> + struct device *dev, void __user *udata)
>>>>> {
>>>>> return -ENODEV;
>>>>> }
>>>>>
>>>>> static inline int iommu_uapi_sva_unbind_gpasid(struct iommu_domain *domain,
>>>>> - struct device *dev, int pasid)
>>>>> + struct device *dev, void __user *udata)
>> {
>>>>> + return -ENODEV;
>>>>> +}
>>>>> +
>>>>> +static inline int iommu_sva_unbind_gpasid(struct iommu_domain *domain,
>>>>> + struct device *dev,
>>>>> + struct iommu_gpasid_bind_data *data)
>>>>> {
>>>>> return -ENODEV;
>>>>> }
>>>>>
>>>> Otherwise looks good to me
>>>> Reviewed-by: Eric Auger <eric.auger@...hat.com>
>>>>
>>>> Thanks
>>>>
>>>> Eric
>>>
>
Powered by blists - more mailing lists