[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/2] hw/nvme: Fix CVE-2021-3929 (DMA re-entrancy exploitation
From: |
Klaus Jensen |
Subject: |
Re: [PATCH 0/2] hw/nvme: Fix CVE-2021-3929 (DMA re-entrancy exploitation) |
Date: |
Thu, 16 Dec 2021 20:55:47 +0100 |
On Dec 16 20:13, Klaus Jensen wrote:
> On Dec 16 18:55, Philippe Mathieu-Daudé wrote:
> > Now that the DMA API allow passing MemTxAttrs argument and
> > returning MemTxResult (with MEMTX_BUS_ERROR in particular),
> > we can restrict the NVMe controller to memories (prohibitting
> > accesses by the DMA engine to devices) and block yet another
> > DMA re-entrancy attack.
> >
> > I'll will try to get a reproducer (and authorization to commit
> > it as qtest) from the reporter.
> >
> > Based-on: <20211216123558.799425-1-philmd@redhat.com>
> > "hw: Have DMA API take MemTxAttrs arg & propagate MemTxResult (part 2)"
> > 20211216123558.799425-1-philmd@redhat.com/">https://lore.kernel.org/qemu-devel/20211216123558.799425-1-philmd@redhat.com/
> >
> > Philippe Mathieu-Daudé (2):
> > hw/nvme/ctrl: Do not ignore DMA access errors
> > hw/nvme/ctrl: Prohibit DMA accesses to devices (CVE-2021-3929)
> >
> > hw/nvme/ctrl.c | 9 +++++----
> > 1 file changed, 5 insertions(+), 4 deletions(-)
> >
>
> LGTM.
>
> Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
Ugh. Jumped the gun here.
This all looked fine, but since this prohibits DMA to other devices it
breaks DMA'ing to a controller memory buffer on another device, which is
a used feature of some setups.
I think we need to fix this like e1000 did?
signature.asc
Description: PGP signature