| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251028170144.6a33a107@shazbot.org>
Date: Tue, 28 Oct 2025 17:01:44 -0600
From: Alex Williamson <alex@...zbot.org>
To: Alex Mastro <amastro@...com>
Cc: Jason Gunthorpe <jgg@...pe.ca>, Alejandro Jimenez
<alejandro.j.jimenez@...cle.com>, David Matlack <dmatlack@...gle.com>,
<kvm@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v6 0/5] vfio: handle DMA map/unmap up to the addressable
limit
On Tue, 28 Oct 2025 09:14:59 -0700
Alex Mastro <amastro@...com> wrote:
> This patch series aims to fix vfio_iommu_type.c to support
> VFIO_IOMMU_MAP_DMA and VFIO_IOMMU_UNMAP_DMA operations targeting IOVA
> ranges which lie against the addressable limit. i.e. ranges where
> iova_start + iova_size would overflow to exactly zero.
>
> Today, the VFIO UAPI has an inconsistency: The
> VFIO_IOMMU_TYPE1_INFO_CAP_IOVA_RANGE capability of VFIO_IOMMU_GET_INFO
> reports that ranges up to the end of the address space are available
> for use, but are not really due to bugs in handling boundary conditions.
>
> For example:
>
> vfio_find_dma_first_node() is called to find the first dma node to unmap
> given an unmap range of [iova..iova+size). The check at the end of the
> function intends to test if the dma result lies beyond the end of the
> unmap range. The condition is incorrectly satisfied when iova+size
> overflows to zero, causing the function to return NULL.
>
> The same issue happens inside vfio_dma_do_unmap()'s while loop.
>
> This bug was also reported by Alejandro Jimenez in [1][2].
>
> Of primary concern are locations in the current code which perform
> comparisons against (iova + size) expressions, where overflow to zero
> is possible.
>
> The initial list of candidate locations to audit was taken from the
> following:
>
> $ rg 'iova.*\+.*size' -n drivers/vfio/vfio_iommu_type1.c | rg -v '\- 1'
> 173: else if (start >= dma->iova + dma->size)
> 192: if (start < dma->iova + dma->size) {
> 216: if (new->iova + new->size <= dma->iova)
> 1060: dma_addr_t iova = dma->iova, end = dma->iova + dma->size;
> 1233: if (dma && dma->iova + dma->size != iova + size)
> 1380: if (dma && dma->iova + dma->size != iova + size)
> 1501: ret = vfio_iommu_map(iommu, iova + dma->size, pfn, npage,
> 1504: vfio_unpin_pages_remote(dma, iova + dma->size, pfn,
> 1721: while (iova < dma->iova + dma->size) {
> 1743: i = iova + size;
> 1744: while (i < dma->iova + dma->size &&
> 1754: size_t n = dma->iova + dma->size - iova;
> 1785: iova += size;
> 1810: while (iova < dma->iova + dma->size) {
> 1823: i = iova + size;
> 1824: while (i < dma->iova + dma->size &&
> 2919: if (range.iova + range.size < range.iova)
>
> This series spends the first couple commits making mechanical
> preparations before the fix lands in the third commit. Selftests are
> added in the last two commits.
>
> [1] https://lore.kernel.org/qemu-devel/20250919213515.917111-1-alejandro.j.jimenez@oracle.com/
> [2] https://lore.kernel.org/all/68e18f2c-79ad-45ec-99b9-99ff68ba5438@oracle.com/
>
> Signed-off-by: Alex Mastro <amastro@...com>
>
> ---
> Changes in v6:
> - Fix nits in selftests
> - Clarify function calls with '()' in commit messages
> - Link to v5: https://lore.kernel.org/r/20251027-fix-unmap-v5-0-4f0fcf8ffb7d@fb.com
Applied to vfio for-linus branch for v6.18. Thanks!
Alex
Powered by blists - more mailing lists