All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed
From: Felicitas Hetzelt <file@sect.tu-berlin.de>
To: <virtualization@lists.linux-foundation.org>,
	<iommu@lists.linux-foundation.org>
Cc: "Radev, Martin" <martin.radev@aisec.fraunhofer.de>,
	david.kaplan@amd.com, "Michael S. Tsirkin" <mst@redhat.com>,
	Jason Wang <jasowang@redhat.com>,
	konrad.wilk@oracle.com, Robert Buhren <robert@sect.tu-berlin.de>,
	"Morbitzer, Mathias" <mathias.morbitzer@aisec.fraunhofer.de>
Subject: swiotlb/virtio: unchecked device dma address and length
Date: Fri, 11 Dec 2020 18:31:21 +0100	[thread overview]
Message-ID: <d2ae0b1d-332b-42a1-87bf-7da2b749cac2@sect.tu-berlin.de> (raw)

Hello,
we have been analyzing the Hypervisor-OS interface of Linux
and discovered bugs in the swiotlb/virtio implementation that can be
triggered from a malicious Hypervisor / virtual device.
With SEV, the SWIOTLB implementation is forcefully enabled and would
always be used. Thus, all virtio devices and others would use it under
the hood.

The reason for analyzing this interface is that, technologies such as
Intel's Trusted Domain Extensions [1] and AMD's Secure Nested Paging [2]
change the threat model assumed by various Linux kernel subsystems.
These technologies take the presence of a fully malicious hypervisor
into account and aim to provide protection for virtual machines in such
an environment. Therefore, all input received from the hypervisor or an
external device should be carefully validated. Note that these issues
are of little (or no) relevance in a "normal" virtualization setup,
nevertheless we believe that it is required to fix them if TDX or SNP is
used.

We are happy to provide more information if needed!

[1]
https://software.intel.com/content/www/us/en/develop/articles/intel-trust-domain-extensions.html

[2] https://www.amd.com/en/processors/amd-secure-encrypted-virtualization

Bug:
OOB memory write.
dma_unmap_single -> swiotlb_tbl_unmap_single is invoked with dma_addr
and length parameters that are under control of the device.
This happens e.g. in virtio_ring:
https://elixir.bootlin.com/linux/v5.10-rc7/source/drivers/virtio/virtio_ring.c#L378

This raises two issues:
1) swiotlb_tlb_unmap_single fails to check whether the index generated
from the dma_addr is in range of the io_tlb_orig_addr array.
2) when swiotlb_bounce is called the device controls the length of the
memory copied to the cpu address.
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu

             reply	other threads:[~2020-12-11 18:57 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-11 17:31 Felicitas Hetzelt [this message]
2020-12-14 21:49 ` swiotlb/virtio: unchecked device dma address and length Konrad Rzeszutek Wilk
2020-12-14 21:49   ` Konrad Rzeszutek Wilk
2020-12-15  3:20   ` Jason Wang
2020-12-15  3:20     ` Jason Wang
2020-12-15 14:27     ` Konrad Rzeszutek Wilk
2020-12-15 14:27       ` Konrad Rzeszutek Wilk
2020-12-16  5:53       ` Jason Wang
2020-12-16  5:53         ` Jason Wang
2020-12-16  6:41         ` Jason Wang
2020-12-16  6:41           ` Jason Wang
2020-12-16 13:04           ` Konrad Rzeszutek Wilk
2020-12-16 13:04             ` Konrad Rzeszutek Wilk
2020-12-17  4:19             ` Jason Wang
2020-12-17  4:19               ` Jason Wang
2020-12-17 22:55               ` Ashish Kalra
2020-12-16  8:54     ` Michael S. Tsirkin
2020-12-16  8:54       ` Michael S. Tsirkin
2020-12-16 13:07       ` Konrad Rzeszutek Wilk
2020-12-16 13:07         ` Konrad Rzeszutek Wilk
2020-12-16 22:07         ` Radev, Martin
2020-12-17 23:17           ` Ashish Kalra
2020-12-18  9:28             ` Radev, Martin
2020-12-15  8:47   ` Ashish Kalra
2020-12-15 10:54     ` Felicitas Hetzelt
2020-12-15 14:37       ` Konrad Rzeszutek Wilk
2020-12-15 14:37         ` Konrad Rzeszutek Wilk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d2ae0b1d-332b-42a1-87bf-7da2b749cac2@sect.tu-berlin.de \
    --to=file@sect.tu-berlin.de \
    --cc=david.kaplan@amd.com \
    --cc=iommu@lists.linux-foundation.org \
    --cc=jasowang@redhat.com \
    --cc=konrad.wilk@oracle.com \
    --cc=martin.radev@aisec.fraunhofer.de \
    --cc=mathias.morbitzer@aisec.fraunhofer.de \
    --cc=mst@redhat.com \
    --cc=robert@sect.tu-berlin.de \
    --cc=virtualization@lists.linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.