Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp4571514imd; Tue, 30 Oct 2018 04:18:10 -0700 (PDT) X-Google-Smtp-Source: AJdET5dIPAvBtQhlKhNmPHTvCjUD6gmw3dLWUh1miZuLetf9JgKuszDlL2kXf/3pZ4R9DX0abjDz X-Received: by 2002:a63:6150:: with SMTP id v77mr17166737pgb.266.1540898290303; Tue, 30 Oct 2018 04:18:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1540898290; cv=none; d=google.com; s=arc-20160816; b=Msg0OiB1evpgUgq6s1sqtbX/eNfEeXsrSAFt+o/lru9Q4gEsl7LUNm33GDbo7BGXJ4 zUIYk3VAFCtQX1Au+w6R0AUG+PGqjqNFhAqDqw9EmpvRZUCiqup+GVldPFmKtti+Di3r klIqJCfpOWER5zYjYVw0ysxIzXKZgk+ZXSy/Jvucb2684o86IcxJCHedWKyC+CgnhjII Vlfc9OZhXItzFtelDomqBjkcnSByCr63q2N+9++Nkfihh/IWf49M6GiK1RGKw5kQaKiO tPYn8lJTCW7MiKjRU4Fco/oy/BaZQqc+67uJ8CzE3lkIoSvwzbKv9/+Bs9hJR0htkw3/ xFMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from; bh=U0wQHirZELyK+RPdRpzjbWrtNxLEDgIRLHJ6je5WcvQ=; b=qpUoRkHViiVkVBbK810luQco3i98AxKRJTLezuiO0gjtE+hQ7Zq6/kd0bmDfi2giw7 wMBEgjmLIC8xcEYl4rJCsvtu90kHGeOau0DuQh+KkPk7fazVdsNrCKyIVQNjRqTF0QcH gDYMrlGzVgn2PvxyJzZfKkD0QElvhjtqUt8DN55nNlIj+jn/ThKXk393JGF3cSeBiKMN WFT9wQWLf9sFR5b6nnKtlIXCGDkTIM0Azmg93Pb7pdizWmragNNr8nj5Jcb8MPpDhJww Tuzp4qH5SSwQHxdn0tUYkb6jdv/5AekDM3QAMz3CeeVIgA90CSDRKiFiPfCilAvb7QDV hWFA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a144-v6si6657496pfd.138.2018.10.30.04.17.55; Tue, 30 Oct 2018 04:18:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727709AbeJ3UJD (ORCPT + 99 others); Tue, 30 Oct 2018 16:09:03 -0400 Received: from mga17.intel.com ([192.55.52.151]:56946 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726225AbeJ3UJD (ORCPT ); Tue, 30 Oct 2018 16:09:03 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Oct 2018 04:16:00 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,444,1534834800"; d="scan'208";a="85674177" Received: from um.fi.intel.com (HELO localhost) ([10.237.72.212]) by orsmga008.jf.intel.com with ESMTP; 30 Oct 2018 04:15:58 -0700 From: Alexander Shishkin To: Wenwen Wang , Wenwen Wang Cc: Kangjie Lu , open list Subject: Re: [PATCH] intel_th: Fix a missing-check bug In-Reply-To: References: <1539956812-11300-1-git-send-email-wang6495@umn.edu> Date: Tue, 30 Oct 2018 13:15:57 +0200 Message-ID: <871s877kia.fsf@ashishki-desk.ger.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Wenwen Wang writes: > Hello, > > Can anyone confirm this bug? Thanks! Commonly this burden lies with the author of the patch. If you fix a bug, you need to be able to demonstrate it. If it's a mere hypothesis, there needs to be a detailed analysis of how exactly can this be exploited and what is the potential outcome of an exploit. Some other questions that arise from looking at the patch, for example, does gcc actually generate different code as a result of this patch? > On Fri, Oct 19, 2018 at 8:47 AM Wenwen Wang wrote: >> >> In msc_data_sz(), the 'valid_dw' field of the msc block descriptor 'bdesc' >> is firstly checked to see whether the descriptor has a valid data width. If >> yes, i.e., 'bdesc->valid_dw' is not 0, the data size of this descriptor >> will be returned. It is worth noting that the data size is calculated from >> 'bdesc->valid_dw'. The problem here is that 'bdesc' actually points to a >> consistent DMA region, which is allocated through dma_alloc_coherent() in >> msc_buffer_win_alloc(). Given that the device also has the permission to >> access this DMA region, it is possible that a malicious device controlled >> by an attacker can modify the 'valid_dw' field after the if statement but >> before the return statement in msc_data_sz(). Through this way, the >> device So, I *guess* you're assuming that an IOMMU will stop the malicious device from overwriting the kernel code directly, so instead they're reduced to breaking the driver's assumptions about the HW behavior, and that is the reason why patches like this are sent in the first place. This train of thought needs to be explained. Now, if we start defending ourselves against malicious hardware, we need a comprehensive analysis of possible attack vectors and their consequences. I'm not convinced that it needs to be done in the first place, but if it does, it sure needs to be better than grepping for a potential load after validation. >> can bypass the check and supply unexpected data width. >> >> This patch copies the 'valid_dw' field to a local variable and then >> performs the check and the calculation on the local variable to avoid the >> above issue. >> >> Signed-off-by: Wenwen Wang >> --- >> drivers/hwtracing/intel_th/msu.h | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/drivers/hwtracing/intel_th/msu.h b/drivers/hwtracing/intel_th/msu.h >> index 9cc8ace..b7d846e 100644 >> --- a/drivers/hwtracing/intel_th/msu.h >> +++ b/drivers/hwtracing/intel_th/msu.h >> @@ -79,10 +79,12 @@ struct msc_block_desc { >> >> static inline unsigned long msc_data_sz(struct msc_block_desc *bdesc) >> { >> - if (!bdesc->valid_dw) >> + u32 valid_dw = bdesc->valid_dw; >> + >> + if (!valid_dw) >> return 0; >> >> - return bdesc->valid_dw * 4 - MSC_BDESC; >> + return valid_dw * 4 - MSC_BDESC; Or, the "malicious device" could just set valid_dw to something within [1; MSC_BDESC/4), pass the check anyway and yield a more interesting result, which may lead to an out-of-bounds access in the buffer reading function. In other words, there's potential for improvement around this function, but this patch misses it. Regards, -- Alex