From: Jia-Ju Bai <baijiaju@tsinghua.edu.cn>
To: jejb@linux.ibm.com, linuxdrivers@attotech.com,
martin.petersen@oracle.com
Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] scsi: esas2r: fix possible buffer overflow caused by bad DMA value in esas2r_process_fs_ioctl()
Date: Mon, 3 Aug 2020 11:07:57 +0800 [thread overview]
Message-ID: <81351eab-69c0-89dc-4e58-146a005b5929@tsinghua.edu.cn> (raw)
In-Reply-To: <1596383240.4087.8.camel@linux.ibm.com>
On 2020/8/2 23:47, James Bottomley wrote:
> On Sun, 2020-08-02 at 23:21 +0800, Jia-Ju Bai wrote:
>> Because "fs" is mapped to DMA, its data can be modified at anytime by
>> malicious or malfunctioning hardware. In this case, the check
>> "if (fsc->command >= cmdcnt)" can be passed, and then "fsc->command"
>> can be modified by hardware to cause buffer overflow.
> This threat model seems to be completely bogus. If the device were
> malicious it would have given the mailbox incorrect values a priori ...
> it wouldn't give the correct value then update it. For most systems we
> do assume correct operation of the device but if there's a worry about
> incorrect operation, the usual approach is to guard the device with an
> IOMMU which, again, would make this sort of fix unnecessary because the
> IOMMU will have removed access to the buffer after the command
> completed.
Thanks for the reply :)
In my opinion, IOMMU is used to prevent the hardware from accessing
arbitrary memory addresses, but it cannot prevent the hardware from
writing a bad value into a valid memory address.
For this reason, I think that the hardware can normally access
"fsc->command" and modify it into arbitrary value at any time, because
IOMMU considers the address of "fsc->command" is valid for the hardware.
Best wishes,
Jia-Ju Bai
next prev parent reply other threads:[~2020-08-03 3:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-02 15:21 [PATCH] scsi: esas2r: fix possible buffer overflow caused by bad DMA value in esas2r_process_fs_ioctl() Jia-Ju Bai
2020-08-02 15:47 ` James Bottomley
2020-08-03 3:07 ` Jia-Ju Bai [this message]
2020-08-03 5:51 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=81351eab-69c0-89dc-4e58-146a005b5929@tsinghua.edu.cn \
--to=baijiaju@tsinghua.edu.cn \
--cc=jejb@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=linuxdrivers@attotech.com \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.