From: Felicitas Hetzelt <file@sect.tu-berlin.de>
To: <virtualization@lists.linux-foundation.org>,
<iommu@lists.linux-foundation.org>
Cc: "Radev, Martin" <martin.radev@aisec.fraunhofer.de>,
david.kaplan@amd.com, "Michael S. Tsirkin" <mst@redhat.com>,
Jason Wang <jasowang@redhat.com>,
konrad.wilk@oracle.com, Robert Buhren <robert@sect.tu-berlin.de>,
"Morbitzer, Mathias" <mathias.morbitzer@aisec.fraunhofer.de>
Subject: swiotlb/virtio: unchecked device dma address and length
Date: Fri, 11 Dec 2020 18:31:21 +0100 [thread overview]
Message-ID: <d2ae0b1d-332b-42a1-87bf-7da2b749cac2@sect.tu-berlin.de> (raw)
Hello,
we have been analyzing the Hypervisor-OS interface of Linux
and discovered bugs in the swiotlb/virtio implementation that can be
triggered from a malicious Hypervisor / virtual device.
With SEV, the SWIOTLB implementation is forcefully enabled and would
always be used. Thus, all virtio devices and others would use it under
the hood.
The reason for analyzing this interface is that, technologies such as
Intel's Trusted Domain Extensions [1] and AMD's Secure Nested Paging [2]
change the threat model assumed by various Linux kernel subsystems.
These technologies take the presence of a fully malicious hypervisor
into account and aim to provide protection for virtual machines in such
an environment. Therefore, all input received from the hypervisor or an
external device should be carefully validated. Note that these issues
are of little (or no) relevance in a "normal" virtualization setup,
nevertheless we believe that it is required to fix them if TDX or SNP is
used.
We are happy to provide more information if needed!
[1]
https://software.intel.com/content/www/us/en/develop/articles/intel-trust-domain-extensions.html
[2] https://www.amd.com/en/processors/amd-secure-encrypted-virtualization
Bug:
OOB memory write.
dma_unmap_single -> swiotlb_tbl_unmap_single is invoked with dma_addr
and length parameters that are under control of the device.
This happens e.g. in virtio_ring:
https://elixir.bootlin.com/linux/v5.10-rc7/source/drivers/virtio/virtio_ring.c#L378
This raises two issues:
1) swiotlb_tlb_unmap_single fails to check whether the index generated
from the dma_addr is in range of the io_tlb_orig_addr array.
2) when swiotlb_bounce is called the device controls the length of the
memory copied to the cpu address.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
next reply other threads:[~2020-12-11 18:57 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-11 17:31 Felicitas Hetzelt [this message]
2020-12-14 21:49 ` swiotlb/virtio: unchecked device dma address and length Konrad Rzeszutek Wilk
2020-12-14 21:49 ` Konrad Rzeszutek Wilk
2020-12-15 3:20 ` Jason Wang
2020-12-15 3:20 ` Jason Wang
2020-12-15 14:27 ` Konrad Rzeszutek Wilk
2020-12-15 14:27 ` Konrad Rzeszutek Wilk
2020-12-16 5:53 ` Jason Wang
2020-12-16 5:53 ` Jason Wang
2020-12-16 6:41 ` Jason Wang
2020-12-16 6:41 ` Jason Wang
2020-12-16 13:04 ` Konrad Rzeszutek Wilk
2020-12-16 13:04 ` Konrad Rzeszutek Wilk
2020-12-17 4:19 ` Jason Wang
2020-12-17 4:19 ` Jason Wang
2020-12-17 22:55 ` Ashish Kalra
2020-12-16 8:54 ` Michael S. Tsirkin
2020-12-16 8:54 ` Michael S. Tsirkin
2020-12-16 13:07 ` Konrad Rzeszutek Wilk
2020-12-16 13:07 ` Konrad Rzeszutek Wilk
2020-12-16 22:07 ` Radev, Martin
2020-12-17 23:17 ` Ashish Kalra
2020-12-18 9:28 ` Radev, Martin
2020-12-15 8:47 ` Ashish Kalra
2020-12-15 10:54 ` Felicitas Hetzelt
2020-12-15 14:37 ` Konrad Rzeszutek Wilk
2020-12-15 14:37 ` Konrad Rzeszutek Wilk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d2ae0b1d-332b-42a1-87bf-7da2b749cac2@sect.tu-berlin.de \
--to=file@sect.tu-berlin.de \
--cc=david.kaplan@amd.com \
--cc=iommu@lists.linux-foundation.org \
--cc=jasowang@redhat.com \
--cc=konrad.wilk@oracle.com \
--cc=martin.radev@aisec.fraunhofer.de \
--cc=mathias.morbitzer@aisec.fraunhofer.de \
--cc=mst@redhat.com \
--cc=robert@sect.tu-berlin.de \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.