lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAOtvUMf_LPN80MV_GmnA6P2y8-PiazZ8nahDp_Gdpz-Ns3n8pw@mail.gmail.com>
Date:   Mon, 7 Mar 2022 15:21:58 +0200
From:   Gilad Ben-Yossef <gilad@...yossef.com>
To:     Robin Murphy <robin.murphy@....com>
Cc:     Herbert Xu <herbert@...dor.apana.org.au>,
        Linux kernel mailing list <linux-kernel@...r.kernel.org>,
        iommu@...ts.linux-foundation.org,
        Corentin Labbe <clabbe.montjoie@...il.com>,
        Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
        Christoph Hellwig <hch@....de>
Subject: Re: [BUG] crypto: ccree: driver does not handle case where cryptlen =
 authsize =0

On Mon, Mar 7, 2022 at 3:12 PM Robin Murphy <robin.murphy@....com> wrote:
>
> On 2022-03-07 13:03, Robin Murphy wrote:
> > On 2022-03-07 12:47, Gilad Ben-Yossef wrote:
> >> On Mon, Mar 7, 2022 at 2:36 PM Robin Murphy <robin.murphy@....com> wrote:
> >>>
> >>> On 2022-03-07 12:17, Gilad Ben-Yossef wrote:
> >>>> On Mon, Mar 7, 2022 at 1:14 PM Robin Murphy <robin.murphy@....com>
> >>>> wrote:
> >>>>
> >>>>> The "overlap" is in the sense of having more than one mapping
> >>>>> within the
> >>>>> same cacheline:
> >>>>>
> >>>>> [  142.458120] DMA-API: add_dma_entry start P=ba79f200 N=ba79f
> >>>>> D=ba79f200 L=10 DMA_FROM_DEVICE attrs=0
> >>>>> [  142.458156] DMA-API: add_dma_entry start P=445dc010 N=445dc
> >>>>> D=445dc010 L=10 DMA_TO_DEVICE attrs=0
> >>>>> [  142.458178] sun8i-ss 1c15000.crypto: SRC 0/1/1 445dc000 len=16 bi=0
> >>>>> [  142.458215] sun8i-ss 1c15000.crypto: DST 0/1/1 ba79f200 len=16 bi=0
> >>>>> [  142.458234] DMA-API: add_dma_entry start P=ba79f210 N=ba79f
> >>>>> D=ba79f210 L=10 DMA_FROM_DEVICE attrs=0
> >>>>>
> >>>>> This actually illustrates exactly the reason why this is
> >>>>> unsupportable.
> >>>>> ba79f200 is mapped for DMA_FROM_DEVICE, therefore subsequently mapping
> >>>>> ba79f210 for DMA_TO_DEVICE may cause the cacheline covering the range
> >>>>> ba79f200-ba79f23f to be written back over the top of data that the
> >>>>> device has already started to write to memory. Hello data corruption.
> >>>>>
> >>>>> Separate DMA mappings should be from separate memory allocations,
> >>>>> respecting ARCH_DMA_MINALIGN.
> >>>>
> >>>> hmm... I know I'm missing something here, but how does this align with
> >>>> the following from active_cacheline_insert() in kernel/dma/debug.c ?
> >>>>
> >>>>           /* If the device is not writing memory then we don't have any
> >>>>            * concerns about the cpu consuming stale data.  This
> >>>> mitigates
> >>>>            * legitimate usages of overlapping mappings.
> >>>>            */
> >>>>           if (entry->direction == DMA_TO_DEVICE)
> >>>>                   return 0;
> >>>
> >>> It's OK to have multiple mappings that are *all* DMA_TO_DEVICE, which
> >>> looks to be the case that this check was intended to allow. However I
> >>> think you're right that it should still actually check for conflicting
> >>> directions between the new entry and any existing ones, otherwise it
> >>> ends up a bit too lenient.
> >>>
> >>> Cheers,
> >>> Robin.
> >>
> >> I understand what you are saying about why checking for conflicting
> >> directions may be a good thing, but given that the code is as it is
> >> right now, how are we seeing the warning for two mapping that one of
> >> them is DMA_TO_DEVICE?
> >
> > Because it's the second one that isn't. The warning is triggered by
> > adding the DMA_FROM_DEVICE entry, which *is* checked, and finds the
> > DMA_TO_DEVICE entry already present. What's not great is that if those
> > two mappings happened to be made in the opposite order then it would be
> > missed entirely.
>
> Urgh, no, sorry, that's some imaginary conflation of the cacheline radix
> tree with the entry hash bucket...
>
> What's actually happened here is that I've failed to read the log
> properly and they're both DMA_FROM_DEVICE. But the potential problem of
> mixed-direction mappings being missed does still stand in general.

Ah, right!

OK, Now I feel a little better.

You know, I think that dma debug logic is oversimplified a bit in
other ways too.

Think for example about the scenario that started this - a (crypto,
but it doesn't matter) gets two sg lists - src and dst.
It will map the src for DMA_TO_DEVICE and the dst as DMA_FROM_DEVICE.

Now the two sg list might actually be one and the same or they might
be two different sg lists but referring to the exact same buffers.

So long as  the driver DMA maps, says, the src first and then the dst,
or vice versa, and does not initiate any read/write from either the
CPU or device until the 2nd mapping, I would claim that this is
perfectly safe (same thing for not touching the buffer post the first
unmap and before the 2nd) and it does simplify the driver quite a bit
- but the dma debug logic will consider it an error right now.

Gilad




-- 
Gilad Ben-Yossef
Chief Coffee Drinker

values of β will give rise to dom!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ