Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp4571514imd;
        Tue, 30 Oct 2018 04:18:10 -0700 (PDT)
X-Google-Smtp-Source: AJdET5dIPAvBtQhlKhNmPHTvCjUD6gmw3dLWUh1miZuLetf9JgKuszDlL2kXf/3pZ4R9DX0abjDz
X-Received: by 2002:a63:6150:: with SMTP id v77mr17166737pgb.266.1540898290303;
        Tue, 30 Oct 2018 04:18:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540898290; cv=none;
        d=google.com; s=arc-20160816;
        b=Msg0OiB1evpgUgq6s1sqtbX/eNfEeXsrSAFt+o/lru9Q4gEsl7LUNm33GDbo7BGXJ4
         zUIYk3VAFCtQX1Au+w6R0AUG+PGqjqNFhAqDqw9EmpvRZUCiqup+GVldPFmKtti+Di3r
         klIqJCfpOWER5zYjYVw0ysxIzXKZgk+ZXSy/Jvucb2684o86IcxJCHedWKyC+CgnhjII
         Vlfc9OZhXItzFtelDomqBjkcnSByCr63q2N+9++Nkfihh/IWf49M6GiK1RGKw5kQaKiO
         tPYn8lJTCW7MiKjRU4Fco/oy/BaZQqc+67uJ8CzE3lkIoSvwzbKv9/+Bs9hJR0htkw3/
         xFMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:references
         :in-reply-to:subject:cc:to:from;
        bh=U0wQHirZELyK+RPdRpzjbWrtNxLEDgIRLHJ6je5WcvQ=;
        b=qpUoRkHViiVkVBbK810luQco3i98AxKRJTLezuiO0gjtE+hQ7Zq6/kd0bmDfi2giw7
         wMBEgjmLIC8xcEYl4rJCsvtu90kHGeOau0DuQh+KkPk7fazVdsNrCKyIVQNjRqTF0QcH
         gDYMrlGzVgn2PvxyJzZfKkD0QElvhjtqUt8DN55nNlIj+jn/ThKXk393JGF3cSeBiKMN
         WFT9wQWLf9sFR5b6nnKtlIXCGDkTIM0Azmg93Pb7pdizWmragNNr8nj5Jcb8MPpDhJww
         Tuzp4qH5SSwQHxdn0tUYkb6jdv/5AekDM3QAMz3CeeVIgA90CSDRKiFiPfCilAvb7QDV
         hWFA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a144-v6si6657496pfd.138.2018.10.30.04.17.55;
        Tue, 30 Oct 2018 04:18:10 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727709AbeJ3UJD (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Tue, 30 Oct 2018 16:09:03 -0400
Received: from mga17.intel.com ([192.55.52.151]:56946 "EHLO mga17.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726225AbeJ3UJD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 30 Oct 2018 16:09:03 -0400
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga008.jf.intel.com ([10.7.209.65])
  by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Oct 2018 04:16:00 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,444,1534834800"; 
   d="scan'208";a="85674177"
Received: from um.fi.intel.com (HELO localhost) ([10.237.72.212])
  by orsmga008.jf.intel.com with ESMTP; 30 Oct 2018 04:15:58 -0700
From:   Alexander Shishkin <alexander.shishkin@linux.intel.com>
To:     Wenwen Wang <wang6495@umn.edu>, Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>, open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] intel_th: Fix a missing-check bug
In-Reply-To: <CAAa=b7fnx01565vUuturXLefLjsfUwGpD8Zh1bZZnrkSQ=wWpg@mail.gmail.com>
References: <1539956812-11300-1-git-send-email-wang6495@umn.edu> <CAAa=b7fnx01565vUuturXLefLjsfUwGpD8Zh1bZZnrkSQ=wWpg@mail.gmail.com>
Date:   Tue, 30 Oct 2018 13:15:57 +0200
Message-ID: <871s877kia.fsf@ashishki-desk.ger.corp.intel.com>
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Wenwen Wang <wang6495@umn.edu> writes:

> Hello,
>
> Can anyone confirm this bug? Thanks!

Commonly this burden lies with the author of the patch. If you fix a
bug, you need to be able to demonstrate it. If it's a mere hypothesis,
there needs to be a detailed analysis of how exactly can this be
exploited and what is the potential outcome of an exploit.

Some other questions that arise from looking at the patch, for example,
does gcc actually generate different code as a result of this patch?

> On Fri, Oct 19, 2018 at 8:47 AM Wenwen Wang <wang6495@umn.edu> wrote:
>>
>> In msc_data_sz(), the 'valid_dw' field of the msc block descriptor 'bdesc'
>> is firstly checked to see whether the descriptor has a valid data width. If
>> yes, i.e., 'bdesc->valid_dw' is not 0, the data size of this descriptor
>> will be returned. It is worth noting that the data size is calculated from
>> 'bdesc->valid_dw'. The problem here is that 'bdesc' actually points to a
>> consistent DMA region, which is allocated through dma_alloc_coherent() in
>> msc_buffer_win_alloc(). Given that the device also has the permission to
>> access this DMA region, it is possible that a malicious device controlled
>> by an attacker can modify the 'valid_dw' field after the if statement but
>> before the return statement in msc_data_sz(). Through this way, the
>> device

So, I *guess* you're assuming that an IOMMU will stop the malicious
device from overwriting the kernel code directly, so instead they're
reduced to breaking the driver's assumptions about the HW behavior, and
that is the reason why patches like this are sent in the first
place. This train of thought needs to be explained. Now, if we start
defending ourselves against malicious hardware, we need a comprehensive
analysis of possible attack vectors and their consequences. I'm not
convinced that it needs to be done in the first place, but if it does,
it sure needs to be better than grepping for a potential load after
validation.

>> can bypass the check and supply unexpected data width.
>>
>> This patch copies the 'valid_dw' field to a local variable and then
>> performs the check and the calculation on the local variable to avoid the
>> above issue.
>>
>> Signed-off-by: Wenwen Wang <wang6495@umn.edu>
>> ---
>>  drivers/hwtracing/intel_th/msu.h | 6 ++++--
>>  1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/hwtracing/intel_th/msu.h b/drivers/hwtracing/intel_th/msu.h
>> index 9cc8ace..b7d846e 100644
>> --- a/drivers/hwtracing/intel_th/msu.h
>> +++ b/drivers/hwtracing/intel_th/msu.h
>> @@ -79,10 +79,12 @@ struct msc_block_desc {
>>
>>  static inline unsigned long msc_data_sz(struct msc_block_desc *bdesc)
>>  {
>> -       if (!bdesc->valid_dw)
>> +       u32 valid_dw = bdesc->valid_dw;
>> +
>> +       if (!valid_dw)
>>                 return 0;
>>
>> -       return bdesc->valid_dw * 4 - MSC_BDESC;
>> +       return valid_dw * 4 - MSC_BDESC;

Or, the "malicious device" could just set valid_dw to something within
[1; MSC_BDESC/4), pass the check anyway and yield a more interesting
result, which may lead to an out-of-bounds access in the buffer reading
function. In other words, there's potential for improvement around this
function, but this patch misses it.

Regards,
--
Alex