lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3bb87b4c-f646-20fe-7cc5-c7449432811e@arm.com>
Date:   Tue, 6 Jul 2021 10:22:40 +0100
From:   Robin Murphy <robin.murphy@....com>
To:     Gerald Schaefer <gerald.schaefer@...ux.ibm.com>,
        Christoph Hellwig <hch@....de>,
        iommu@...ts.linux-foundation.org
Cc:     linux-s390 <linux-s390@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Niklas Schnelle <schnelle@...ux.ibm.com>
Subject: Re: [RFC PATCH 1/1] dma-debug: fix check_for_illegal_area() in
 debug_dma_map_sg()

On 2021-07-05 19:52, Gerald Schaefer wrote:
> The following warning occurred sporadically on s390:
> DMA-API: nvme 0006:00:00.0: device driver maps memory from kernel text or rodata [addr=0000000048cc5e2f] [len=131072]
> WARNING: CPU: 4 PID: 825 at kernel/dma/debug.c:1083 check_for_illegal_area+0xa8/0x138
> 
> It is a false-positive warning, due to a broken logic in debug_dma_map_sg().
> check_for_illegal_area() should check for overlay of sg elements with kernel
> text or rodata. It is called with sg_dma_len(s) instead of s->length as
> parameter. After the call to ->map_sg(), sg_dma_len() contains the length
> of possibly combined sg elements in the DMA address space, and not the
> individual sg element length, which would be s->length.
> 
> The check will then use the kernel start address of an sg element, and add
> the DMA length for overlap check, which can result in the false-positive
> warning because the DMA length can be larger than the actual single sg
> element length in kernel address space.
> 
> In addition, the call to check_for_illegal_area() happens in the iteration
> over mapped_ents, which will not include all individual sg elements if
> any of them were combined in ->map_sg().
> 
> Fix this by using s->length instead of sg_dma_len(s). Also put the call to
> check_for_illegal_area() in a separate loop, iterating over all the
> individual sg elements ("nents" instead of "mapped_ents").
> 
> Fixes: 884d05970bfb ("dma-debug: use sg_dma_len accessor")
> Tested-by: Niklas Schnelle <schnelle@...ux.ibm.com>
> Signed-off-by: Gerald Schaefer <gerald.schaefer@...ux.ibm.com>
> ---
>   kernel/dma/debug.c | 10 ++++++----
>   1 file changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
> index 14de1271463f..d7d44b7fe7e2 100644
> --- a/kernel/dma/debug.c
> +++ b/kernel/dma/debug.c
> @@ -1299,6 +1299,12 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg,
>   	if (unlikely(dma_debug_disabled()))
>   		return;
>   
> +	for_each_sg(sg, s, nents, i) {
> +		if (!PageHighMem(sg_page(s))) {
> +			check_for_illegal_area(dev, sg_virt(s), s->length);
> +		}
> +	}
> +
>   	for_each_sg(sg, s, mapped_ents, i) {
>   		entry = dma_entry_alloc();
>   		if (!entry)
> @@ -1316,10 +1322,6 @@ void debug_dma_map_sg(struct device *dev, struct scatterlist *sg,
>   
>   		check_for_stack(dev, sg_page(s), s->offset);

Strictly this should probably be moved to the new loop as well, as it is 
similarly concerned with validating the source segments rather than the 
DMA mappings - I think with virtually-mapped stacks it might technically 
be possible for a stack page to be physically adjacent to a "valid" page 
such that it could get merged and overlooked if it were near the end of 
the list, although in fairness that would probably be indicative of 
something having gone far more fundamentally wrong. Otherwise, the 
overall reasoning looks sound to me.

Robin.

>   
> -		if (!PageHighMem(sg_page(s))) {
> -			check_for_illegal_area(dev, sg_virt(s), sg_dma_len(s));
> -		}
> -
>   		check_sg_segment(dev, s);
>   
>   		add_dma_entry(entry);
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ