From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
To: Jason Wang <jasowang@redhat.com>
Cc: mst@redhat.com, virtualization@lists.linux-foundation.org,
linux-kernel@vger.kernel.org, xieyongji@bytedance.com,
stefanha@redhat.com, file@sect.tu-berlin.de,
ashish.kalra@amd.com, martin.radev@aisec.fraunhofer.de,
kvm@vger.kernel.org
Subject: Re: [RFC PATCH 0/7] Untrusted device support for virtio
Date: Wed, 28 Apr 2021 17:06:10 -0400 [thread overview]
Message-ID: <YInOQt1l/59zzPJK@Konrads-MacBook-Pro.local> (raw)
In-Reply-To: <20210421032117.5177-1-jasowang@redhat.com>
On Wed, Apr 21, 2021 at 11:21:10AM +0800, Jason Wang wrote:
> Hi All:
>
> Sometimes, the driver doesn't trust the device. This is usually
> happens for the encrtpyed VM or VDUSE[1]. In both cases, technology
> like swiotlb is used to prevent the poking/mangling of memory from the
> device. But this is not sufficient since current virtio driver may
> trust what is stored in the descriptor table (coherent mapping) for
> performing the DMA operations like unmap and bounce so the device may
> choose to utilize the behaviour of swiotlb to perform attacks[2].
We fixed it in the SWIOTLB. That is it saves the expected length
of the DMA operation. See
commit daf9514fd5eb098d7d6f3a1247cb8cc48fc94155
Author: Martin Radev <martin.b.radev@gmail.com>
Date: Tue Jan 12 16:07:29 2021 +0100
swiotlb: Validate bounce size in the sync/unmap path
The size of the buffer being bounced is not checked if it happens
to be larger than the size of the mapped buffer. Because the size
can be controlled by a device, as it's the case with virtio devices,
this can lead to memory corruption.
>
> For double insurance, to protect from a malicous device, when DMA API
> is used for the device, this series store and use the descriptor
> metadata in an auxiliay structure which can not be accessed via
> swiotlb instead of the ones in the descriptor table. Actually, we've
Sorry for being dense here, but how wold SWIOTLB be utilized for
this attack?
> almost achieved that through packed virtqueue and we just need to fix
> a corner case of handling mapping errors. For split virtqueue we just
> follow what's done in the packed.
>
> Note that we don't duplicate descriptor medata for indirect
> descriptors since it uses stream mapping which is read only so it's
> safe if the metadata of non-indirect descriptors are correct.
>
> The behaivor for non DMA API is kept for minimizing the performance
> impact.
>
> Slightly tested with packed on/off, iommu on/of, swiotlb force/off in
> the guest.
>
> Please review.
>
> [1] https://lore.kernel.org/netdev/fab615ce-5e13-a3b3-3715-a4203b4ab010@redhat.com/T/
> [2] https://yhbt.net/lore/all/c3629a27-3590-1d9f-211b-c0b7be152b32@redhat.com/T/#mc6b6e2343cbeffca68ca7a97e0f473aaa871c95b
>
> Jason Wang (7):
> virtio-ring: maintain next in extra state for packed virtqueue
> virtio_ring: rename vring_desc_extra_packed
> virtio-ring: factor out desc_extra allocation
> virtio_ring: secure handling of mapping errors
> virtio_ring: introduce virtqueue_desc_add_split()
> virtio: use err label in __vring_new_virtqueue()
> virtio-ring: store DMA metadata in desc_extra for split virtqueue
>
> drivers/virtio/virtio_ring.c | 189 ++++++++++++++++++++++++++---------
> 1 file changed, 141 insertions(+), 48 deletions(-)
>
> --
> 2.25.1
>
next prev parent reply other threads:[~2021-04-28 21:06 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-21 3:21 [RFC PATCH 0/7] Untrusted device support for virtio Jason Wang
2021-04-21 3:21 ` [RFC PATCH 1/7] virtio-ring: maintain next in extra state for packed virtqueue Jason Wang
2021-04-21 3:21 ` [RFC PATCH 2/7] virtio_ring: rename vring_desc_extra_packed Jason Wang
2021-04-21 3:21 ` [RFC PATCH 3/7] virtio-ring: factor out desc_extra allocation Jason Wang
2021-04-21 3:21 ` [RFC PATCH 4/7] virtio_ring: secure handling of mapping errors Jason Wang
2021-04-21 3:21 ` [RFC PATCH 5/7] virtio_ring: introduce virtqueue_desc_add_split() Jason Wang
2021-04-21 3:21 ` [RFC PATCH 6/7] virtio: use err label in __vring_new_virtqueue() Jason Wang
2021-04-21 3:21 ` [RFC PATCH 7/7] virtio-ring: store DMA metadata in desc_extra for split virtqueue Jason Wang
2021-04-22 6:31 ` [RFC PATCH 0/7] Untrusted device support for virtio Christoph Hellwig
2021-04-22 8:19 ` Jason Wang
2021-04-23 20:14 ` Michael S. Tsirkin
2021-04-25 1:43 ` Jason Wang
2021-04-28 21:06 ` Konrad Rzeszutek Wilk [this message]
2021-04-29 4:16 ` Jason Wang
2021-06-04 15:17 ` Konrad Rzeszutek Wilk
2021-06-07 2:46 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YInOQt1l/59zzPJK@Konrads-MacBook-Pro.local \
--to=konrad.wilk@oracle.com \
--cc=ashish.kalra@amd.com \
--cc=file@sect.tu-berlin.de \
--cc=jasowang@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.radev@aisec.fraunhofer.de \
--cc=mst@redhat.com \
--cc=stefanha@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=xieyongji@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).