lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 3 Jan 2024 08:44:03 -0400
From: Jason Gunthorpe <jgg@...dia.com>
To: Baolu Lu <baolu.lu@...ux.intel.com>
Cc: Yi Liu <yi.l.liu@...el.com>, joro@...tes.org,
	alex.williamson@...hat.com, kevin.tian@...el.com,
	robin.murphy@....com, cohuck@...hat.com, eric.auger@...hat.com,
	nicolinc@...dia.com, kvm@...r.kernel.org, mjrosato@...ux.ibm.com,
	chao.p.peng@...ux.intel.com, yi.y.sun@...ux.intel.com,
	peterx@...hat.com, jasowang@...hat.com,
	shameerali.kolothum.thodi@...wei.com, lulu@...hat.com,
	suravee.suthikulpanit@....com, iommu@...ts.linux.dev,
	linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
	zhenzhong.duan@...el.com, joao.m.martins@...cle.com,
	xin.zeng@...el.com, yan.y.zhao@...el.com, j.granados@...sung.com
Subject: Re: [PATCH v10 10/10] iommu/vt-d: Add iotlb flush for nested domain

On Wed, Jan 03, 2024 at 11:06:19AM +0800, Baolu Lu wrote:
> On 2024/1/3 9:33, Yi Liu wrote:
> > On 2024/1/3 02:44, Jason Gunthorpe wrote:
> > > On Tue, Jan 02, 2024 at 06:38:34AM -0800, Yi Liu wrote:
> > > 
> > > > +static void intel_nested_flush_cache(struct dmar_domain
> > > > *domain, u64 addr,
> > > > +                     unsigned long npages, bool ih, u32 *error)
> > > > +{
> > > > +    struct iommu_domain_info *info;
> > > > +    unsigned long i;
> > > > +    unsigned mask;
> > > > +    u32 fault;
> > > > +
> > > > +    xa_for_each(&domain->iommu_array, i, info)
> > > > +        qi_flush_piotlb(info->iommu,
> > > > +                domain_id_iommu(domain, info->iommu),
> > > > +                IOMMU_NO_PASID, addr, npages, ih, NULL);
> > > 
> > > This locking on the xarray is messed up throughout the driver. There
> > > could be a concurrent detach at this point which will free info and
> > > UAF this.
> > 
> > hmmm, xa_for_each() takes and releases rcu lock, and according to the
> > domain_detach_iommu(), info is freed after xa_erase(). For an existing
> > info stored in xarray, xa_erase() should return after rcu lock is released.
> > is it? Any idea? @Baolu
> 
> I once thought locking for xarray is self-contained. I need more thought
> on this before taking further action.

The locking of xarray itself is self-contained, but once it returns a
value then the user has to provide locking to protect the value.

In this case the xarray storage memory itself will not UAF but the
info pointer to memory returned from the xarray will.

I've been thinking arm/amd/intel all need the same datastructure here,
and it is a bit complicated. We should try to make a library to handle
it..

It is straightforward except for the RCU list walk for invalidation..

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ