| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Sep 2020 16:33:26 +0200
From: Greg KH <gregkh@...uxfoundation.org>
To: Alex Williamson <alex.williamson@...hat.com>
Cc: Ajay Kaher <akaher@...are.com>, sashal@...nel.org,
cohuck@...hat.com, peterx@...hat.com, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org,
srivatsab@...are.com, srivatsa@...il.mit.edu,
vsirnapalli@...are.com
Subject: Re: [PATCH v4.14.y 0/3] vfio: Fix for CVE-2020-12888
On Tue, Sep 08, 2020 at 08:29:04AM -0600, Alex Williamson wrote:
> On Tue, 8 Sep 2020 01:47:08 +0530
> Ajay Kaher <akaher@...are.com> wrote:
>
> > CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some
> > devices may lead to DoS scenario
> >
> > The VFIO modules allow users (guest VMs) to enable or disable access to the
> > devices' MMIO memory address spaces. If a user attempts to access (read/write)
> > the devices' MMIO address space when it is disabled, some h/w devices issue an
> > interrupt to the CPU to indicate a fatal error condition, crashing the system.
> > This flaw allows a guest user or process to crash the host system resulting in
> > a denial of service.
> >
> > Patch 1/ is to force the user fault if PFNMAP vma might be DMA mapped
> > before user access.
> >
> > Patch 2/ setup a vm_ops handler to support dynamic faulting instead of calling
> > remap_pfn_range(). Also provides a list of vmas actively mapping the area which
> > can later use to invalidate those mappings.
> >
> > Patch 3/ block the user from accessing memory spaces which is disabled by using
> > new vma list support to zap, or invalidate, those memory mappings in order to
> > force them to be faulted back in on access.
> >
> > Upstreamed patches link:
> > https://lore.kernel.org/kvm/158871401328.15589.17598154478222071285.stgit@gimli.home
> >
> > [PATCH v4.14.y 1/3]:
> > Backporting of upsream commit 41311242221e:
> > vfio/type1: Support faulting PFNMAP vmas
> >
> > [PATCH v4.14.y 2/3]:
> > Backporting of upsream commit 11c4cd07ba11:
> > vfio-pci: Fault mmaps to enable vma tracking
> >
> > [PATCH v4.14.y 3/3]:
> > Backporting of upsream commit abafbc551fdd:
> > vfio-pci: Invalidate mmaps and block MMIO access on disabled memory
> >
>
> I'd recommend also including the following or else SR-IOV VFs will be
> broken for DPDK:
>
> commit ebfa440ce38b7e2e04c3124aa89c8a9f4094cf21
> Author: Alex Williamson <alex.williamson@...hat.com>
> Date: Thu Jun 25 11:04:23 2020 -0600
>
> vfio/pci: Fix SR-IOV VF handling with MMIO blocking
>
> SR-IOV VFs do not implement the memory enable bit of the command
> register, therefore this bit is not set in config space after
> pci_enable_device(). This leads to an unintended difference
> between PF and VF in hand-off state to the user. We can correct
> this by setting the initial value of the memory enable bit in our
> virtualized config space. There's really no need however to
> ever fault a user on a VF though as this would only indicate an
> error in the user's management of the enable bit, versus a PF
> where the same access could trigger hardware faults.
>
> Fixes: abafbc551fdd ("vfio-pci: Invalidate mmaps and block MMIO access on disabled memory")
> Signed-off-by: Alex Williamson <alex.williamson@...hat.com>
Good catch, now queued up, thanks.
greg k-h
Powered by blists - more mailing lists