lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20210211124351.53a833c5@omen.home.shazbot.org>
Date:   Thu, 11 Feb 2021 12:43:51 -0700
From:   Alex Williamson <alex.williamson@...hat.com>
To:     Christoph Hellwig <hch@...radead.org>
Cc:     Jason Gunthorpe <jgg@...dia.com>,
        Max Gurtovoy <mgurtovoy@...dia.com>,
        Cornelia Huck <cohuck@...hat.com>,
        Matthew Rosato <mjrosato@...ux.ibm.com>, kvm@...r.kernel.org,
        linux-kernel@...r.kernel.org, liranl@...dia.com, oren@...dia.com,
        tzahio@...dia.com, leonro@...dia.com, yarong@...dia.com,
        aviadye@...dia.com, shahafs@...dia.com, artemp@...dia.com,
        kwankhede@...dia.com, ACurrid@...dia.com, gmataev@...dia.com,
        cjia@...dia.com, yishaih@...dia.com, aik@...abs.ru
Subject: Re: [PATCH 8/9] vfio/pci: use x86 naming instead of igd

On Thu, 11 Feb 2021 08:44:26 +0000
Christoph Hellwig <hch@...radead.org> wrote:

> On Tue, Feb 02, 2021 at 04:59:23PM -0700, Alex Williamson wrote:
> > vfio-pci-igd support knows very little about the device, we're
> > effectively just exposing a firmware table and some of the host bridge
> > config space (read-only).  So the idea that the host kernel needs to
> > have updated i915 support in order to expose the device to userspace
> > with these extra regions is a bit silly.  
> 
> On the other hand assuming the IGD scheme works for every device
> with an Intel Vendor ID and a VGA classcode that hangs off an Intel
> host bridge seems highly dangerous.  Is this actually going to work
> for the new discreete Intel graphics?  For the old i740?  And if not
> what is the failure scenario?

The failure scenario is that we expose read-only copies of the OpRegion
firmware table and host and lpc bridge config space to userspace.  Not
exactly dangerous.  For discrete graphics we'd simply fail the device
probe if the target device isn't on the root bus.  This would cover the
old i740 as well, assuming you're seriously concerned about someone
plugging in a predominantly AGP graphics card from 20+ years ago into a
modern system and trying to assign it to a guest.  Thanks,

Alex

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ