| Message ID | 20211215205527.488480-1-philmd@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | hw/sd/sdhci: Fix DMA re-entrancy issue | expand |
On 12/15/21 21:55, Philippe Mathieu-Daudé wrote: > Hi, > > This series is an attempt to fix the DMA re-entrancy problem > on the SDHCI device. OSS-Fuzz found it and Alexander generated > a helpful reproducer. > > By setting the MemTxAttrs::memory bit before doing DMA transactions, > the flatview API will return MEMTX_BUS_ERROR if the transaction > targets a non-memory (a device), which is usually how DMA-reentrancy > bugs are exploited. > > On real hardware, the checks are on the interconnect bus, not in > the SDHCI block. However QEMU blocks aren't modelled that way. > Using the flatview API seems (to me) the simplest and closer > to hardware, it is a generic API and we can use it to trace > bus transactions on all blocks. > > Note this series is simply one example to fix the generic > issues. The important changes are in the previous series: > https://lore.kernel.org/qemu-devel/20211215182421.418374-1-philmd@redhat.com/ > Based-on: <20211215182421.418374-1-philmd@redhat.com> > "physmem: Have flatview API check bus permission from MemTxAttrs" Please disregard this cover, I forgot to post as RFC...
Hi, This series is an attempt to fix the DMA re-entrancy problem on the SDHCI device. OSS-Fuzz found it and Alexander generated a helpful reproducer. By setting the MemTxAttrs::memory bit before doing DMA transactions, the flatview API will return MEMTX_BUS_ERROR if the transaction targets a non-memory (a device), which is usually how DMA-reentrancy bugs are exploited. On real hardware, the checks are on the interconnect bus, not in the SDHCI block. However QEMU blocks aren't modelled that way. Using the flatview API seems (to me) the simplest and closer to hardware, it is a generic API and we can use it to trace bus transactions on all blocks. Note this series is simply one example to fix the generic issues. The important changes are in the previous series: https://lore.kernel.org/qemu-devel/20211215182421.418374-1-philmd@redhat.com/ Based-on: <20211215182421.418374-1-philmd@redhat.com> "physmem: Have flatview API check bus permission from MemTxAttrs" Cc: Mauro Matteo Cascella <mcascell@redhat.com> Cc: Qiuhao Li <Qiuhao.Li@outlook.com> Cc: Peter Xu <peterx@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Cc: David Hildenbrand <david@redhat.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Cc: Peter Maydell <peter.maydell@linaro.org> Cc: Li Qiang <liq3ea@gmail.com> Cc: Thomas Huth <thuth@redhat.com> Cc: Laurent Vivier <lvivier@redhat.com> Cc: Bandan Das <bsd@redhat.com> Cc: Edgar E. Iglesias <edgar.iglesias@gmail.com> Cc: Darren Kenny <darren.kenny@oracle.com> Cc: Bin Meng <bin.meng@windriver.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Alexander Bulekov <alxndr@bu.edu> Cc: Stefan Hajnoczi <stefanha@redhat.com> Philippe Mathieu-Daudé (3): hw/sd/sdhci: Honor failed DMA transactions hw/sd/sdhci: Prohibit DMA accesses to devices tests/qtest/fuzz-sdcard-test: Add reproducer for OSS-Fuzz (Issue 29225) hw/sd/sdhci.c | 35 ++++++++++++---- tests/qtest/fuzz-sdcard-test.c | 76 ++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+), 9 deletions(-)