| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251017130249.GA309181@nvidia.com>
Date: Fri, 17 Oct 2025 10:02:49 -0300
From: Jason Gunthorpe <jgg@...dia.com>
To: Leon Romanovsky <leon@...nel.org>
Cc: Alex Williamson <alex.williamson@...hat.com>,
Leon Romanovsky <leonro@...dia.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Bjorn Helgaas <bhelgaas@...gle.com>,
Christian König <christian.koenig@....com>,
dri-devel@...ts.freedesktop.org, iommu@...ts.linux.dev,
Jens Axboe <axboe@...nel.dk>, Joerg Roedel <joro@...tes.org>,
kvm@...r.kernel.org, linaro-mm-sig@...ts.linaro.org,
linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-media@...r.kernel.org, linux-mm@...ck.org,
linux-pci@...r.kernel.org, Logan Gunthorpe <logang@...tatee.com>,
Marek Szyprowski <m.szyprowski@...sung.com>,
Robin Murphy <robin.murphy@....com>,
Sumit Semwal <sumit.semwal@...aro.org>,
Vivek Kasireddy <vivek.kasireddy@...el.com>,
Will Deacon <will@...nel.org>
Subject: Re: [PATCH v5 9/9] vfio/pci: Add dma-buf export support for MMIO
regions
On Mon, Oct 13, 2025 at 06:26:11PM +0300, Leon Romanovsky wrote:
> +static void dma_ranges_to_p2p_phys(struct vfio_pci_dma_buf *priv,
> + struct vfio_device_feature_dma_buf *dma_buf,
> + struct vfio_region_dma_range *dma_ranges,
> + struct p2pdma_provider *provider)
> +{
> + struct pci_dev *pdev = priv->vdev->pdev;
> + phys_addr_t pci_start;
> + u32 i;
> +
> + pci_start = pci_resource_start(pdev, dma_buf->region_index);
> + for (i = 0; i < dma_buf->nr_ranges; i++) {
> + priv->phys_vec[i].len = dma_ranges[i].length;
> + priv->phys_vec[i].paddr = pci_start + dma_ranges[i].offset;
> + priv->size += priv->phys_vec[i].len;
> + }
This is missing validation, the userspace can pass in any
length/offset but the resource is of limited size. Like this:
static int dma_ranges_to_p2p_phys(struct vfio_pci_dma_buf *priv,
struct vfio_device_feature_dma_buf *dma_buf,
struct vfio_region_dma_range *dma_ranges,
struct p2pdma_provider *provider)
{
struct pci_dev *pdev = priv->vdev->pdev;
phys_addr_t len = pci_resource_len(pdev, dma_buf->region_index);
phys_addr_t pci_start;
phys_addr_t pci_last;
u32 i;
if (!len)
return -EINVAL;
pci_start = pci_resource_start(pdev, dma_buf->region_index);
pci_last = pci_start + len - 1;
for (i = 0; i < dma_buf->nr_ranges; i++) {
phys_addr_t last;
if (!dma_ranges[i].length)
return -EINVAL;
if (check_add_overflow(pci_start, dma_ranges[i].offset,
&priv->phys_vec[i].paddr) ||
check_add_overflow(priv->phys_vec[i].paddr,
dma_ranges[i].length - 1, &last))
return -EOVERFLOW;
if (last > pci_last)
return -EINVAL;
priv->phys_vec[i].len = dma_ranges[i].length;
priv->size += priv->phys_vec[i].len;
}
priv->nr_ranges = dma_buf->nr_ranges;
priv->provider = provider;
return 0;
}
Jason
Powered by blists - more mailing lists