sh.si...@amd.com
Subject: Re: swiotlb/virtio: unchecked device dma address and length
On Wed, Dec 16, 2020 at 10:07:31PM +, Radev, Martin wrote:
> Hello everybody,
>
> I will try help clarify some things.
>
> > On a DMA unmap SWIOTLB (when force is used) it trusts the
On Wed, Dec 16, 2020 at 10:07:31PM +, Radev, Martin wrote:
> Hello everybody,
>
> I will try help clarify some things.
>
> > On a DMA unmap SWIOTLB (when force is used) it trusts the driver from
> > providing
> > the correct DMA address and length which SWIOTLB uses to match to its
> > asso
On Thu, Dec 17, 2020 at 12:19:16PM +0800, Jason Wang wrote:
>
> On 2020/12/16 下午9:04, Konrad Rzeszutek Wilk wrote:
> > On December 16, 2020 1:41:48 AM EST, Jason Wang wrote:
> > >
> > > - Original Message -
> > > >
> > > > - Original Message -
> > > > > .snip.
> > > > > > > > Th
On 2020/12/16 下午9:04, Konrad Rzeszutek Wilk wrote:
On December 16, 2020 1:41:48 AM EST, Jason Wang wrote:
- Original Message -
- Original Message -
.snip.
This raises two issues:
1) swiotlb_tlb_unmap_single fails to check whether the index
generated
from the dma_addr is in
undation.org
; iommu@lists.linux-foundation.org
; Radev, Martin
; Morbitzer, Mathias
; Robert Buhren
; david.kap...@amd.com
Subject: Re: swiotlb/virtio: unchecked device dma address and length
..snip..
>> > > This raises two issues:
>> > > 1) swiotlb_tlb_unmap_single fa
..snip..
>> > > This raises two issues:
>> > > 1) swiotlb_tlb_unmap_single fails to check whether the index
>generated
>> > > from the dma_addr is in range of the io_tlb_orig_addr array.
>> > That is fairly simple to implement I would think. That is it can
>check
>> > that the dma_addr is from the
On December 16, 2020 1:41:48 AM EST, Jason Wang wrote:
>
>
>- Original Message -
>>
>>
>> - Original Message -
>> > .snip.
>> > > > > This raises two issues:
>> > > > > 1) swiotlb_tlb_unmap_single fails to check whether the index
>> > > > > generated
>> > > > > from the dma_addr
On Tue, Dec 15, 2020 at 11:20:48AM +0800, Jason Wang wrote:
>
> On 2020/12/15 上午5:49, Konrad Rzeszutek Wilk wrote:
> > On Fri, Dec 11, 2020 at 06:31:21PM +0100, Felicitas Hetzelt wrote:
> > > Hello,
> > Hi! Please see below my responses.
> >
> > > we have been analyzing the Hypervisor-OS interfac
- Original Message -
>
>
> - Original Message -
> > .snip.
> > > > > This raises two issues:
> > > > > 1) swiotlb_tlb_unmap_single fails to check whether the index
> > > > > generated
> > > > > from the dma_addr is in range of the io_tlb_orig_addr array.
> > > > That is fairly
- Original Message -
> .snip.
> > > > This raises two issues:
> > > > 1) swiotlb_tlb_unmap_single fails to check whether the index generated
> > > > from the dma_addr is in range of the io_tlb_orig_addr array.
> > > That is fairly simple to implement I would think. That is it can check
>
On Tue, Dec 15, 2020 at 11:54:08AM +0100, Felicitas Hetzelt wrote:
> Hello,
> thank you all for looking into this! To answer some of the questions:
> - Did you have already some PoC fixes for this:
>We don't have a full PoC or fix currently. Thought we have a PoC
>with which were able to o
.snip.
> > > This raises two issues:
> > > 1) swiotlb_tlb_unmap_single fails to check whether the index generated
> > > from the dma_addr is in range of the io_tlb_orig_addr array.
> > That is fairly simple to implement I would think. That is it can check
> > that the dma_addr is from the PA in the
Hello,
thank you all for looking into this! To answer some of the questions:
- Did you have already some PoC fixes for this:
We don't have a full PoC or fix currently. Thought we have a PoC
with which were able to overwrite memory outside of the mapped
dma region.
- Is there a CVE associ
On Mon, Dec 14, 2020 at 04:49:50PM -0500, Konrad Rzeszutek Wilk wrote:
> On Fri, Dec 11, 2020 at 06:31:21PM +0100, Felicitas Hetzelt wrote:
> > Hello,
>
> Hi! Please see below my responses.
>
> > we have been analyzing the Hypervisor-OS interface of Linux
> > and discovered bugs in the swiotlb/vi
On 2020/12/15 上午5:49, Konrad Rzeszutek Wilk wrote:
On Fri, Dec 11, 2020 at 06:31:21PM +0100, Felicitas Hetzelt wrote:
Hello,
Hi! Please see below my responses.
we have been analyzing the Hypervisor-OS interface of Linux
and discovered bugs in the swiotlb/virtio implementation that can be
tri
On Fri, Dec 11, 2020 at 06:31:21PM +0100, Felicitas Hetzelt wrote:
> Hello,
Hi! Please see below my responses.
> we have been analyzing the Hypervisor-OS interface of Linux
> and discovered bugs in the swiotlb/virtio implementation that can be
> triggered from a malicious Hypervisor / virtual dev
Hello,
we have been analyzing the Hypervisor-OS interface of Linux
and discovered bugs in the swiotlb/virtio implementation that can be
triggered from a malicious Hypervisor / virtual device.
With SEV, the SWIOTLB implementation is forcefully enabled and would
always be used. Thus, all virtio devic
17 matches
Mail list logo