[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission fr
From: |
Philippe Mathieu-Daudé |
Subject: |
Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument |
Date: |
Tue, 24 Aug 2021 09:24:35 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 |
On 8/24/21 12:26 AM, Alexander Bulekov wrote:
> On 210823 1650, Peter Xu wrote:
>> On Mon, Aug 23, 2021 at 08:10:50PM +0100, Peter Maydell wrote:
>>> On Mon, 23 Aug 2021 at 17:42, Philippe Mathieu-Daudé <philmd@redhat.com>
>>> wrote:
>>>>
>>>> This series aim to kill a recent class of bug, the infamous
>>>> "DMA reentrancy" issues found by Alexander while fuzzing.
>>>>
>>>> Introduce the 'bus_perm' field in MemTxAttrs, defining 3 bits:
>>>>
>>>> - MEMTXPERM_UNSPECIFIED (current default, unchanged behavior)
>>>> - MEMTXPERM_UNRESTRICTED (allow list approach)
>>>> - MEMTXPERM_RAM_DEVICE (example of deny list approach)
>>>>
>>>> If a transaction permission is not allowed (for example access
>>>> to non-RAM device), we return the specific MEMTX_BUS_ERROR.
>>>>
>>>> Permissions are checked in after the flatview is resolved, and
>>>> before the access is done, in a new function: flatview_access_allowed().
>>>
>>> So I'm not going to say 'no' to this, because we have a real
>>> recursive-device-handling problem and I don't have a better
>>> idea to hand, but the thing about this is that we end up with
>>> behaviour which is not what the real hardware does. I'm not
>>> aware of any DMA device which has this kind of "can only DMA
>>> to/from RAM, and aborts on access to a device" behaviour...
>>
>> Sorry for not being familiar with the context - is there more info regarding
>> the problem to fix? I'm looking at the links mentioned in the old series:
>>
>> https://lore.kernel.org/qemu-devel/20200903110831.353476-12-philmd@redhat.com/
>> https://bugs.launchpad.net/qemu/+bug/1886362
>> https://bugs.launchpad.net/qemu/+bug/1888606
>>
>> They seem all marked as fixed now.
>
> Here are some that should still reproduce:
> https://gitlab.com/qemu-project/qemu/-/issues/542
> https://gitlab.com/qemu-project/qemu/-/issues/540
> https://gitlab.com/qemu-project/qemu/-/issues/541
> https://gitlab.com/qemu-project/qemu/-/issues/62
> https://lore.kernel.org/qemu-devel/20210218140629.373646-1-ppandit@redhat.com/
> (CVE-2021-20255)
Also 305, 451, 557.
Issues list tracked here:
https://gitlab.com/qemu-project/qemu/-/issues/556
(Thanks Alex for updating it!)
>
> There's also this one, that I don't think I ever created a bug report
> for (working on it now):
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33247
> -Alex
>
>>
>> Thanks,
>>
>> --
>> Peter Xu
>>
>
- [RFC PATCH v2 5/5] softmmu/physmem: Have flaview API check MemTxAttrs::bus_perm field, (continued)
- Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Peter Maydell, 2021/08/23
- Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Edgar E. Iglesias, 2021/08/24
- Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Peter Xu, 2021/08/24
- Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Peter Maydell, 2021/08/24
- Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Gerd Hoffmann, 2021/08/24
- Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Li Qiang, 2021/08/24
- Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Peter Xu, 2021/08/24
Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Stefan Hajnoczi, 2021/08/24
Re: [RFC PATCH v2 0/5] physmem: Have flaview API check bus permission from MemTxAttrs argument, Stefan Hajnoczi, 2021/08/24