| Message ID | 20220121063225.312603-1-its@irrelevant.dk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] hw/nvme: fix CVE-2021-3929 | expand |
On 21/1/22 07:32, Klaus Jensen wrote: > From: Klaus Jensen <k.jensen@samsung.com> > > This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the > device itself. This still allows DMA to MMIO regions of other devices > (e.g. doing P2P DMA to the controller memory buffer of another NVMe > device). > > Fixes: CVE-2021-3929 > Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> > Reviewed-by: Keith Busch <kbusch@kernel.org> > Signed-off-by: Klaus Jensen <k.jensen@samsung.com> > --- > hw/nvme/ctrl.c | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
On Jan 21 07:32, Klaus Jensen wrote: > From: Klaus Jensen <k.jensen@samsung.com> > > This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the > device itself. This still allows DMA to MMIO regions of other devices > (e.g. doing P2P DMA to the controller memory buffer of another NVMe > device). > > Fixes: CVE-2021-3929 > Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> > Reviewed-by: Keith Busch <kbusch@kernel.org> > Signed-off-by: Klaus Jensen <k.jensen@samsung.com> > --- > hw/nvme/ctrl.c | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > Applied to nvme-next.
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index 5f573c417b3d..eda52c6ac74b 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -357,6 +357,24 @@ static inline void *nvme_addr_to_pmr(NvmeCtrl *n, hwaddr addr) return memory_region_get_ram_ptr(&n->pmr.dev->mr) + (addr - n->pmr.cba); } +static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) +{ + hwaddr hi, lo; + + /* + * The purpose of this check is to guard against invalid "local" access to + * the iomem (i.e. controller registers). Thus, we check against the range + * covered by the 'bar0' MemoryRegion since that is currently composed of + * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however, + * that if the device model is ever changed to allow the CMB to be located + * in BAR0 as well, then this must be changed. + */ + lo = n->bar0.addr; + hi = lo + int128_get64(n->bar0.size); + + return addr >= lo && addr < hi; +} + static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) { hwaddr hi = addr + size - 1; @@ -614,6 +632,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, hwaddr addr, size_t len) trace_pci_nvme_map_addr(addr, len); + if (nvme_addr_is_iomem(n, addr)) { + return NVME_DATA_TRAS_ERROR; + } + if (nvme_addr_is_cmb(n, addr)) { cmb = true; } else if (nvme_addr_is_pmr(n, addr)) {