| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Jan 2021 11:41:18 +0800
From: Claire Chang <tientzu@...omium.org>
To: robh+dt@...nel.org, mpe@...erman.id.au, benh@...nel.crashing.org,
paulus@...ba.org, joro@...tes.org, will@...nel.org,
frowand.list@...il.com, konrad.wilk@...cle.com,
boris.ostrovsky@...cle.com, jgross@...e.com,
sstabellini@...nel.org, hch@....de, m.szyprowski@...sung.com,
robin.murphy@....com
Cc: grant.likely@....com, xypron.glpk@....de, treding@...dia.com,
mingo@...nel.org, bauerman@...ux.ibm.com, peterz@...radead.org,
gregkh@...uxfoundation.org, saravanak@...gle.com,
rafael.j.wysocki@...el.com, heikki.krogerus@...ux.intel.com,
andriy.shevchenko@...ux.intel.com, rdunlap@...radead.org,
dan.j.williams@...el.com, bgolaszewski@...libre.com,
devicetree@...r.kernel.org, linux-kernel@...r.kernel.org,
linuxppc-dev@...ts.ozlabs.org, iommu@...ts.linux-foundation.org,
xen-devel@...ts.xenproject.org, tfiga@...omium.org,
drinkcat@...omium.org, Claire Chang <tientzu@...omium.org>
Subject: [RFC PATCH v3 0/6] Restricted DMA
This series implements mitigations for lack of DMA access control on
systems without an IOMMU, which could result in the DMA accessing the
system memory at unexpected times and/or unexpected addresses, possibly
leading to data leakage or corruption.
For example, we plan to use the PCI-e bus for Wi-Fi and that PCI-e bus is
not behind an IOMMU. As PCI-e, by design, gives the device full access to
system memory, a vulnerability in the Wi-Fi firmware could easily escalate
to a full system exploit (remote wifi exploits: [1a], [1b] that shows a
full chain of exploits; [2], [3]).
To mitigate the security concerns, we introduce restricted DMA. Restricted
DMA utilizes the existing swiotlb to bounce streaming DMA in and out of a
specially allocated region and does memory allocation from the same region.
The feature on its own provides a basic level of protection against the DMA
overwriting buffer contents at unexpected times. However, to protect
against general data leakage and system memory corruption, the system needs
to provide a way to restrict the DMA to a predefined memory region (this is
usually done at firmware level, e.g. in ATF on some ARM platforms).
[1a] https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
[1b] https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html
[2] https://blade.tencent.com/en/advisories/qualpwn/
[3] https://www.bleepingcomputer.com/news/security/vulnerabilities-found-in-highly-popular-firmware-for-wifi-chips/
Claire Chang (6):
swiotlb: Add io_tlb_mem struct
swiotlb: Add restricted DMA pool
swiotlb: Use restricted DMA pool if available
swiotlb: Add restricted DMA alloc/free support.
dt-bindings: of: Add restricted DMA pool
of: Add plumbing for restricted DMA pool
.../reserved-memory/reserved-memory.txt | 24 +
arch/powerpc/platforms/pseries/svm.c | 4 +-
drivers/iommu/dma-iommu.c | 12 +-
drivers/of/address.c | 21 +
drivers/of/device.c | 4 +
drivers/of/of_private.h | 5 +
drivers/xen/swiotlb-xen.c | 4 +-
include/linux/device.h | 4 +
include/linux/swiotlb.h | 61 +-
kernel/dma/Kconfig | 1 +
kernel/dma/direct.c | 20 +-
kernel/dma/direct.h | 10 +-
kernel/dma/swiotlb.c | 576 +++++++++++-------
13 files changed, 514 insertions(+), 232 deletions(-)
--
2.29.2.729.g45daf8777d-goog
v3:
Using only one reserved memory region for both streaming DMA and memory
allocation.
v2:
Building on top of swiotlb.
https://lore.kernel.org/patchwork/cover/1280705/
v1:
Using dma_map_ops.
https://lore.kernel.org/patchwork/cover/1271660/
Powered by blists - more mailing lists