lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <584b7ff1-ecf2-b0ec-cea3-ccc29902f43a@huawei.com>
Date:   Mon, 16 Nov 2020 21:09:52 +0800
From:   Zenghui Yu <yuzenghui@...wei.com>
To:     Marc Zyngier <maz@...nel.org>
CC:     <kvmarm@...ts.cs.columbia.edu>,
        <linux-arm-kernel@...ts.infradead.org>,
        <linux-kernel@...r.kernel.org>, <eric.auger@...hat.com>,
        <james.morse@....com>, <julien.thierry.kdev@...il.com>,
        <suzuki.poulose@....com>, <wanghaibin.wang@...wei.com>,
        Keqian Zhu <zhukeqian1@...wei.com>
Subject: Re: [PATCH 1/2] KVM: arm64: vgic: Forbid invalid userspace
 Redistributor accesses

Hi Marc,

On 2020/11/16 1:04, Marc Zyngier wrote:
> Hi Zenghui,
> 
> On 2020-11-13 14:28, Zenghui Yu wrote:
>> It's expected that users will access registers in the redistributor *if*
>> the RD has been initialized properly. Unfortunately userspace can be 
>> bogus
>> enough to access registers before setting the RD base address, and KVM
>> implicitly allows it (we handle the access anyway, regardless of whether
>> the base address is set).
>>
>> Bad thing happens when we're handling the user read of GICR_TYPER. We end
>> up with an oops when deferencing the unset rdreg...
>>
>>     gpa_t last_rdist_typer = rdreg->base + GICR_TYPER +
>>             (rdreg->free_index - 1) * KVM_VGIC_V3_REDIST_SIZE;
>>
>> Fix this issue by informing userspace what had gone wrong (-ENXIO).
> 
> I'm worried about the "implicit" aspect of the access that this patch
> now forbids.
> 
> The problem is that the existing documentation doesn't cover this case, > and -ENXIO's "Getting or setting this register is not yet supported"
> is way too vague.

Indeed. How about changing to

     -ENXIO  Getting or setting this register is not yet supported
             or VGIC not properly configured (e.g., [Re]Distributor base
             address is unknown)

> There is a precedent with the ITS, but that's 
> undocumented
> as well. Also, how about v2? If that's the wasy we are going to fix this,
> we also nned to beef up the documentation.

Sure, I plan to do so and hope it won't break the existing userspace.

> Of course, the other horrible way to address the issue is to return a value
> that doesn't have the Last bit set, since we can't synthetise it. It 
> doesn't
> change the userspace API, and I can even find some (admittedly  twisted)
> logic to it (since there is no base address, there is no last RD...).

I'm fine with it. But I'm afraid that there might be other issues due to
the "unexpected" accesses since I haven't tested with all registers from
userspace.

My take is that only if the "[Re]Distributor base address" is specified
in the system memory map, will the user-provided kvm_device_attr.offset
make sense. And we can then handle the access to the register which is
defined by "base address + offset".


Thanks,
Zenghui

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ