lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Mar 2022 20:54:08 +0000 From: Robin Murphy <robin.murphy@....com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Oleksandr Natalenko <oleksandr@...alenko.name>, Halil Pasic <pasic@...ux.ibm.com>, Christoph Hellwig <hch@....de>, Marek Szyprowski <m.szyprowski@...sung.com>, Toke Høiland-Jørgensen <toke@...e.dk>, Kalle Valo <kvalo@...nel.org>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Olha Cherevyk <olha.cherevyk@...il.com>, iommu <iommu@...ts.linux-foundation.org>, linux-wireless <linux-wireless@...r.kernel.org>, Netdev <netdev@...r.kernel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, stable <stable@...r.kernel.org> Subject: Re: [REGRESSION] Recent swiotlb DMA_FROM_DEVICE fixes break ath9k-based AP On 2022-03-23 19:16, Linus Torvalds wrote: > On Wed, Mar 23, 2022 at 12:06 PM Robin Murphy <robin.murphy@....com> wrote: >> >> On 2022-03-23 17:27, Linus Torvalds wrote: >>> >>> I'm assuming that the ath9k issue is that it gives DMA mapping a big >>> enough area to handle any possible packet size, and just expects - >>> quite reasonably - smaller packets to only fill the part they need. >>> >>> Which that "info leak" patch obviously breaks entirely. >> >> Except that's the exact case which the new patch is addressing > > Not "addressing". Breaking. > > Which is why it will almost certainly get reverted. > > Not doing DMA to the whole area seems to be quite the sane thing to do > for things like network packets, and overwriting the part that didn't > get DMA'd with zeroes seems to be exactly the wrong thing here. > > So the SG_IO - and other random untrusted block command sources - data > leak will almost certainly have to be addressed differently. Possibly > by simply allocating the area with GFP_ZERO to begin with. Er, the point of the block layer case is that whole area *is* zeroed to begin with, and a latent memory corruption problem in SWIOTLB itself replaces those zeros with random other kernel data unexpectedly. Let me try illustrating some sequences for clarity... Expected behaviour/without SWIOTLB: Memory --------------------------------------------------- start 12345678 dma_map(DMA_FROM_DEVICE) no-op device writes partial data 12ABC678 <- ABC dma_unmap(DMA_FROM_DEVICE) 12ABC678 SWIOTLB previously: Memory Bounce buffer --------------------------------------------------- start 12345678 xxxxxxxx dma_map(DMA_FROM_DEVICE) no-op device writes partial data 12345678 xxABCxxx <- ABC dma_unmap(DMA_FROM_DEVICE) xxABCxxx <- xxABCxxx SWIOTLB Now: Memory Bounce buffer --------------------------------------------------- start 12345678 xxxxxxxx dma_map(DMA_FROM_DEVICE) 12345678 -> 12345678 device writes partial data 12345678 12ABC678 <- ABC dma_unmap(DMA_FROM_DEVICE) 12ABC678 <- 12ABC678 Now, sure we can prevent any actual information leakage by initialising the bounce buffer slot with zeros, but then we're just corrupting the not-written-to parts of the mapping with zeros instead of anyone else's old data. That's still fundamentally not OK. The only thing SWIOTLB can do to be correct is treat DMA_FROM_DEVICE as a read-modify-write of the entire mapping, because it has no way to know how much of it is actually going to be modified. I'll admit I still never quite grasped the reason for also adding the override to swiotlb_sync_single_for_device() in aa6f8dcbab47, but I think by that point we were increasingly tired and confused and starting to second-guess ourselves (well, I was, at least). I don't think it's wrong per se, but as I said I do think it can bite anyone who's been doing dma_sync_*() wrong but getting away with it until now. If ddbd89deb7d3 alone turns out to work OK then I'd be inclined to try a partial revert of just that one hunk. Thanks, Robin.
Powered by blists - more mailing lists