On 8/24/21 12:26 AM, Alexander Bulekov wrote: > On 210823 1650, Peter Xu wrote: >> On Mon, Aug 23, 2021 at 08:10:50PM +0100, Peter Maydell wrote: >>> On Mon, 23 Aug 2021 at 17:42, Philippe Mathieu-Daudé <phi...@redhat.com> >>> wrote: >>>> >>>> This series aim to kill a recent class of bug, the infamous >>>> "DMA reentrancy" issues found by Alexander while fuzzing. >>>> >>>> Introduce the 'bus_perm' field in MemTxAttrs, defining 3 bits: >>>> >>>> - MEMTXPERM_UNSPECIFIED (current default, unchanged behavior) >>>> - MEMTXPERM_UNRESTRICTED (allow list approach) >>>> - MEMTXPERM_RAM_DEVICE (example of deny list approach) >>>> >>>> If a transaction permission is not allowed (for example access >>>> to non-RAM device), we return the specific MEMTX_BUS_ERROR. >>>> >>>> Permissions are checked in after the flatview is resolved, and >>>> before the access is done, in a new function: flatview_access_allowed(). >>> >>> So I'm not going to say 'no' to this, because we have a real >>> recursive-device-handling problem and I don't have a better >>> idea to hand, but the thing about this is that we end up with >>> behaviour which is not what the real hardware does. I'm not >>> aware of any DMA device which has this kind of "can only DMA >>> to/from RAM, and aborts on access to a device" behaviour... >> >> Sorry for not being familiar with the context - is there more info regarding >> the problem to fix? I'm looking at the links mentioned in the old series: >> >> https://lore.kernel.org/qemu-devel/20200903110831.353476-12-phi...@redhat.com/ >> https://bugs.launchpad.net/qemu/+bug/1886362 >> https://bugs.launchpad.net/qemu/+bug/1888606 >> >> They seem all marked as fixed now. > > Here are some that should still reproduce: > https://gitlab.com/qemu-project/qemu/-/issues/542 > https://gitlab.com/qemu-project/qemu/-/issues/540 > https://gitlab.com/qemu-project/qemu/-/issues/541 > https://gitlab.com/qemu-project/qemu/-/issues/62 > https://lore.kernel.org/qemu-devel/20210218140629.373646-1-ppan...@redhat.com/ > (CVE-2021-20255)
Also 305, 451, 557. Issues list tracked here: https://gitlab.com/qemu-project/qemu/-/issues/556 (Thanks Alex for updating it!) > > There's also this one, that I don't think I ever created a bug report > for (working on it now): > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33247 > -Alex > >> >> Thanks, >> >> -- >> Peter Xu >> >
