[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/3] hw/sd/sdhci: Fix DMA re-entrancy issue
|
From: |
Philippe Mathieu-Daudé |
|
Subject: |
Re: [PATCH 0/3] hw/sd/sdhci: Fix DMA re-entrancy issue |
|
Date: |
Wed, 15 Dec 2021 21:56:49 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0 |
On 12/15/21 21:55, Philippe Mathieu-Daudé wrote:
> Hi,
>
> This series is an attempt to fix the DMA re-entrancy problem
> on the SDHCI device. OSS-Fuzz found it and Alexander generated
> a helpful reproducer.
>
> By setting the MemTxAttrs::memory bit before doing DMA transactions,
> the flatview API will return MEMTX_BUS_ERROR if the transaction
> targets a non-memory (a device), which is usually how DMA-reentrancy
> bugs are exploited.
>
> On real hardware, the checks are on the interconnect bus, not in
> the SDHCI block. However QEMU blocks aren't modelled that way.
> Using the flatview API seems (to me) the simplest and closer
> to hardware, it is a generic API and we can use it to trace
> bus transactions on all blocks.
>
> Note this series is simply one example to fix the generic
> issues. The important changes are in the previous series:
> https://lore.kernel.org/qemu-devel/20211215182421.418374-1-philmd@redhat.com/
> Based-on: <20211215182421.418374-1-philmd@redhat.com>
> "physmem: Have flatview API check bus permission from MemTxAttrs"
Please disregard this cover, I forgot to post as RFC...