lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 27 May 2021 14:06:10 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Russell King' <linux@...linux.org.uk>,
        Krzysztof Hałasa <khalasa@...p.pl>
CC:     linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>,
        lkml <linux-kernel@...r.kernel.org>
Subject: RE: Data corruption on i.MX6 IPU in arm_copy_from_user()

From: Russell King <linux@...linux.org.uk>
> Sent: 26 May 2021 14:19
> 
> On Wed, May 26, 2021 at 02:29:07PM +0200, Krzysztof Hałasa wrote:
> > "Russell King (Oracle)" <linux@...linux.org.uk> writes:
> >
> > > Surely someone is not using copy_*_user() to copy data from userspace
> > > direct to MMIO space... that would be crazy.
> >
> > No, it's the other way around: reading MMIO mapped to userspace (mmap
> > on /dev/mem) and copying it to simple kernel buffer (e.g. pipe buffer).
> > I.e., the MMIO is the userspace here (thus copy_from_user()).
> 
> Ah. I think we assume copy_from_user() will be used on memory only and
> not device mappings.
> 
> In any case, looking at the architecture reference manual, LDM is
> permitted on device and strongly ordered mappings, and the memory
> subsystem is required to decompose it into a series of 32-bit accesses.
> So, it sounds to me like there could be a hardware bug in the buses/IPU
> causing this.
> 
> Can you try using LDM directly inside the kernel and seeing what effect
> it has when reading the IPU? A simple test module should be sufficient.
> I suspect it'll show the same thing - basically, that using LDM to the
> IPU is broken.

I was wondering if there is some kind of page fault on the first access?

What happens if you repeat the write() ?

FWIW you don't want to try this on x86.
The MMIO addresses are likely to be uncached but the copy
function is likely to decide to use the ERMS 'rep movsb' so
suddenly you get single byte PCIe reads!
What you really want is the largest AVX register available.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ