Received: by 2002:ac0:aa62:0:0:0:0:0 with SMTP id w31-v6csp697273ima; Sat, 20 Oct 2018 17:16:33 -0700 (PDT) X-Google-Smtp-Source: ACcGV603sL5DJPgzQ/VI/fA0D14GRFn5vuiPB+s9V2TYCMuNjEM0rhdVzh6fOXgcTR5I83WLvL2p X-Received: by 2002:a62:6907:: with SMTP id e7-v6mr8324287pfc.238.1540080993332; Sat, 20 Oct 2018 17:16:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540080993; cv=none; d=google.com; s=arc-20160816; b=QvLSa3o3ND2TEsLaJ6SunKJRtpfZS8uq+m4vsks1Deb62g1kR7mz2dol3zjLTLw3jh T9P/l1CFKgT76uvlZxLb3XpT4JehqEWsHrrVtig1AHRO26xspu0pSgfETp91KujYoMmK WgAFoLzSbfRqXJWWZ/bKt3A//1Dz38qUKkzIPl734VwObL/8EOfvBZ4+iwFMTEBv9MxM eLLQpcK6BgmhwRtw0nCxzQil4o6s+SrAgQWeCevjHSpzKTJHRnDWUKsFnisrj9nhkm9i aW4+y1tMgQMuzhRwzRvYccEmU4UM0ziUkn3o3DEci+X3EBAIP/6EqSF3G7BTsK9b/MCP iz8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language:thread-index :content-transfer-encoding:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from; bh=V0tofo4Mn2paTS8JtJZdeodHwAIG5xFijPuimXPAJqs=; b=xQ1pz6guTVAkdS42YX51sC603ANx4W3MVisao2d8R9WNQW9FykaSvwgVmTvpVOKsUr WuPotSsvL2Vj4vcQc8vc+onJVZgXWZ9SbTGockN0jfWfobAOumg3yZ/OCcXm1ExjgctU KkAFK3HmcjzI24eusLLyRzdv77rU10NBLULpubEAivrvDPqVHa4aTBwvTI+PcAaFKSPB s6kDl3UPxEY21ApRvXG5BsvfWJlLzYj5t8qspH5Aitt6vN5ZAAznkwHv6x6u9Wx+5cNc oJsgnCgAr/0qHCCElix5WBVPCnRrNothS8YW4hogD5PFG7mtOIVVPTMqiehQQOmVP4O9 Hf7g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m138-v6si31441186pfd.80.2018.10.20.17.16.18; Sat, 20 Oct 2018 17:16:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727111AbeJUI1g convert rfc822-to-8bit (ORCPT + 99 others); Sun, 21 Oct 2018 04:27:36 -0400 Received: from linode.aoot.com ([69.164.194.13]:42582 "EHLO linode.aoot.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726624AbeJUI1g (ORCPT ); Sun, 21 Oct 2018 04:27:36 -0400 Received: from stevoacer (47-221-137-213.gtwncmta03.res.dyn.suddenlink.net [47.221.137.213]) by linode.aoot.com (Postfix) with ESMTP id CECB6821C; Sat, 20 Oct 2018 19:15:18 -0500 (CDT) From: "Steve Wise" To: "'Wenwen Wang'" Cc: "'Kangjie Lu'" , , , , , "'open list'" References: <1540072741-18856-1-git-send-email-wang6495@umn.edu> <038301d468ca$9d30ca90$d7925fb0$@opengridcomputing.com> In-Reply-To: Subject: RE: [PATCH] iw_cxgb4: fix a missing-check bug Date: Sat, 20 Oct 2018 19:15:17 -0500 Message-ID: <000401d468d3$259c3790$70d4a6b0$@opengridcomputing.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQHGM3QZHxRys26vq/PiwJXt1dGVDQG9X7blAxkWL/alHotKoA== Content-Language: en-us Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > -----Original Message----- > From: Wenwen Wang > Sent: Saturday, October 20, 2018 6:56 PM > To: swise@opengridcomputing.com > Cc: Kangjie Lu ; swise@chelsio.com; dledford@redhat.com; > jgg@ziepe.ca; linux-rdma@vger.kernel.org; open list kernel@vger.kernel.org>; Wenwen Wang > Subject: Re: [PATCH] iw_cxgb4: fix a missing-check bug > > On Sat, Oct 20, 2018 at 6:41 PM Steve Wise > wrote: > > > > Hey Wenwen, > > > > > Subject: [PATCH] iw_cxgb4: fix a missing-check bug > > > > > > In c4iw_flush_hw_cq, the next CQE is acquired through > t4_next_hw_cqe(). In > > > t4_next_hw_cqe(), the CQE, i.e., 'cq->queue[cq->cidx]', is checked to see > > > whether it is valid through t4_valid_cqe(). If it is valid, the address of > > > the CQE is then saved to 'hw_cqe'. Later on, the CQE is copied to the > > local > > > memory in create_read_req_cqe(). The problem here is that the CQE is > > > actually in a DMA region allocated by dma_alloc_coherent() in > create_cq(). > > > Given that the device also has the permission to access the DMA region, a > > > malicious device controlled by an attacker can modify the CQE in the DMA > > > region after the check in t4_next_hw_cqe() but before the copy in > > > create_read_req_cqe(). By doing so, the attacker can supply invalid CQE, > > > which can cause undefined behavior of the kernel and introduce > potential > > > security risks. > > > > > > > If the dma device is malicious, couldn't it just dma some incorrect CQE but > > still valid in the first place? I don't think this patch actually solves > > the issue, and it forces a copy of a 64B CQE in a critical data io path. > > Thanks for your response! If the malicious dma device just dma some > incorrect CQE, it will not be able to pass the verification in > t4_valid_cqe(). > As long as the gen bit is correct, the CQE is considered valid. You cannot protect against a malicious dma device. Or at least not with the current driver/device contract. Steve.