lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250709114432.294425ff@DESKTOP-0403QTC.>
Date: Wed, 9 Jul 2025 11:44:32 -0700
From: Jacob Pan <jacob.pan@...ux.microsoft.com>
To: Dave Hansen <dave.hansen@...el.com>
Cc: Jason Gunthorpe <jgg@...dia.com>, Lu Baolu <baolu.lu@...ux.intel.com>,
 Joerg Roedel <joro@...tes.org>, Will Deacon <will@...nel.org>, Robin Murphy
 <robin.murphy@....com>, Kevin Tian <kevin.tian@...el.com>, Jann Horn
 <jannh@...gle.com>, Vasant Hegde <vasant.hegde@....com>, Alistair Popple
 <apopple@...dia.com>, Peter Zijlstra <peterz@...radead.org>, Uladzislau
 Rezki <urezki@...il.com>, Jean-Philippe Brucker <jean-philippe@...aro.org>,
 Andy Lutomirski <luto@...nel.org>, iommu@...ts.linux.dev,
 security@...nel.org, linux-kernel@...r.kernel.org, stable@...r.kernel.org,
 jacob.pan@...ux.microsoft.com
Subject: Re: [PATCH 1/1] iommu/sva: Invalidate KVA range on kernel TLB flush

Hi Dave,

On Wed, 9 Jul 2025 11:22:34 -0700
Dave Hansen <dave.hansen@...el.com> wrote:

> On 7/9/25 11:15, Jacob Pan wrote:
> >>> Is there a use case where a SVA user can access kernel memory in
> >>> the first place?    
> >> No. It should be fully blocked.
> >>  
> > Then I don't understand what is the "vulnerability condition" being
> > addressed here. We are talking about KVA range here.  
> 
> SVA users can't access kernel memory, but they can compel walks of
> kernel page tables, which the IOMMU caches. The trouble starts if the
> kernel happens to free that page table page and the IOMMU is using the
> cache after the page is freed.
> 
According to VT-d spec. 6.2.4 S1 IOTLB caching includes access
privilege.
"First-stage mappings:
— Each of these is a mapping from a input page number in a request to the physical page frame
to which it translates (derived from first-stage translation), along with information about
access privileges and memory typing (if applicable)."

So you are saying IOMMU can cache user DMA initiated walks and cache
with supervisor privilige? Since the SVA PASID is a user PASID, even if
IOMMU uses the cache later on, how could it get supervior privilege?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ