| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cc45285fe491aff5c28a24f94c124508@kernel.org>
Date: Mon, 16 Nov 2020 14:10:34 +0000
From: Marc Zyngier <maz@...nel.org>
To: Zenghui Yu <yuzenghui@...wei.com>
Cc: kvmarm@...ts.cs.columbia.edu, linux-arm-kernel@...ts.infradead.org,
linux-kernel@...r.kernel.org, eric.auger@...hat.com,
james.morse@....com, julien.thierry.kdev@...il.com,
suzuki.poulose@....com, wanghaibin.wang@...wei.com,
Keqian Zhu <zhukeqian1@...wei.com>
Subject: Re: [PATCH 1/2] KVM: arm64: vgic: Forbid invalid userspace
Redistributor accesses
On 2020-11-16 13:09, Zenghui Yu wrote:
> Hi Marc,
>
> On 2020/11/16 1:04, Marc Zyngier wrote:
>> Hi Zenghui,
>>
>> On 2020-11-13 14:28, Zenghui Yu wrote:
>>> It's expected that users will access registers in the redistributor
>>> *if*
>>> the RD has been initialized properly. Unfortunately userspace can be
>>> bogus
>>> enough to access registers before setting the RD base address, and
>>> KVM
>>> implicitly allows it (we handle the access anyway, regardless of
>>> whether
>>> the base address is set).
>>>
>>> Bad thing happens when we're handling the user read of GICR_TYPER. We
>>> end
>>> up with an oops when deferencing the unset rdreg...
>>>
>>> gpa_t last_rdist_typer = rdreg->base + GICR_TYPER +
>>> (rdreg->free_index - 1) * KVM_VGIC_V3_REDIST_SIZE;
>>>
>>> Fix this issue by informing userspace what had gone wrong (-ENXIO).
>>
>> I'm worried about the "implicit" aspect of the access that this patch
>> now forbids.
>>
>> The problem is that the existing documentation doesn't cover this
>> case, > and -ENXIO's "Getting or setting this register is not yet
>> supported"
>> is way too vague.
>
> Indeed. How about changing to
>
> -ENXIO Getting or setting this register is not yet supported
> or VGIC not properly configured (e.g., [Re]Distributor base
> address is unknown)
Looks OK to me.
>
>> There is a precedent with the ITS, but that's undocumented
>> as well. Also, how about v2? If that's the wasy we are going to fix
>> this,
>> we also nned to beef up the documentation.
>
> Sure, I plan to do so and hope it won't break the existing userspace.
Well, at this stage we can only hope.
>
>> Of course, the other horrible way to address the issue is to return a
>> value
>> that doesn't have the Last bit set, since we can't synthetise it. It
>> doesn't
>> change the userspace API, and I can even find some (admittedly
>> twisted)
>> logic to it (since there is no base address, there is no last RD...).
>
> I'm fine with it. But I'm afraid that there might be other issues due
> to
> the "unexpected" accesses since I haven't tested with all registers
> from
> userspace.
I have had a look at the weekend, and couldn't see any other other GICR
register that would suffer from rdreg being NULL. I haven't looked at
GICD, but I don't anticipate anything bad on that front.
> My take is that only if the "[Re]Distributor base address" is specified
> in the system memory map, will the user-provided kvm_device_attr.offset
> make sense. And we can then handle the access to the register which is
> defined by "base address + offset".
I'd tend to agree, but it is just that this is a large change at -rc4.
I'd rather have a quick fix for 5.10, and a more invasive change for
5.11,
spanning all the possible vgic devices.
M.
--
Jazz is not dead. It just smells funny...
Powered by blists - more mailing lists