LinuxLists.cc - [PATCH v2 v4.14.y 0/3] vfio: Fix for CVE-2020-12888

2020-09-08 19:01:09

Subject: [PATCH v2 v4.14.y 0/3] vfio: Fix for CVE-2020-12888

CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some
devices may lead to DoS scenario

The VFIO modules allow users (guest VMs) to enable or disable access to the
devices' MMIO memory address spaces. If a user attempts to access (read/write)
the devices' MMIO address space when it is disabled, some h/w devices issue an
interrupt to the CPU to indicate a fatal error condition, crashing the system.
This flaw allows a guest user or process to crash the host system resulting in
a denial of service.

Patch 1/ is to force the user fault if PFNMAP vma might be DMA mapped
before user access.

Patch 2/ setup a vm_ops handler to support dynamic faulting instead of calling
remap_pfn_range(). Also provides a list of vmas actively mapping the area which
can later use to invalidate those mappings.

Patch 3/ block the user from accessing memory spaces which is disabled by using
new vma list support to zap, or invalidate, those memory mappings in order to
force them to be faulted back in on access.

Upstreamed patches link:
https://lore.kernel.org/kvm/[email protected]

Diff from v1:
Fixed build break problem.

[PATCH v2 v4.14.y 1/3]:
Backporting of upsream commit 41311242221e:
vfio/type1: Support faulting PFNMAP vmas

[PATCH v2 v4.14.y 2/3]:
Backporting of upsream commit 11c4cd07ba11:
vfio-pci: Fault mmaps to enable vma tracking

[PATCH v2 v4.14.y 3/3]:
Backporting of upsream commit abafbc551fdd:
vfio-pci: Invalidate mmaps and block MMIO access on disabled memory

2020-09-10 17:14:34

by Greg Kroah-Hartman

[permalink] [raw]

Subject: Re: [PATCH v2 v4.14.y 0/3] vfio: Fix for CVE-2020-12888

On Wed, Sep 09, 2020 at 12:24:23AM +0530, Ajay Kaher wrote:
> CVE-2020-12888 Kernel: vfio: access to disabled MMIO space of some
> devices may lead to DoS scenario
>
> The VFIO modules allow users (guest VMs) to enable or disable access to the
> devices' MMIO memory address spaces. If a user attempts to access (read/write)
> the devices' MMIO address space when it is disabled, some h/w devices issue an
> interrupt to the CPU to indicate a fatal error condition, crashing the system.
> This flaw allows a guest user or process to crash the host system resulting in
> a denial of service.
>
> Patch 1/ is to force the user fault if PFNMAP vma might be DMA mapped
> before user access.
>
> Patch 2/ setup a vm_ops handler to support dynamic faulting instead of calling
> remap_pfn_range(). Also provides a list of vmas actively mapping the area which
> can later use to invalidate those mappings.
>
> Patch 3/ block the user from accessing memory spaces which is disabled by using
> new vma list support to zap, or invalidate, those memory mappings in order to
> force them to be faulted back in on access.
>
> Upstreamed patches link:
> https://lore.kernel.org/kvm/[email protected]
>
> Diff from v1:
> Fixed build break problem.
>
> [PATCH v2 v4.14.y 1/3]:
> Backporting of upsream commit 41311242221e:
> vfio/type1: Support faulting PFNMAP vmas
>
> [PATCH v2 v4.14.y 2/3]:
> Backporting of upsream commit 11c4cd07ba11:
> vfio-pci: Fault mmaps to enable vma tracking
>
> [PATCH v2 v4.14.y 3/3]:
> Backporting of upsream commit abafbc551fdd:
> vfio-pci: Invalidate mmaps and block MMIO access on disabled memory

This worked better, now all queued up, thanks!

greg k-h