From patchwork Thu Jan 20 08:01:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Klaus Jensen X-Patchwork-Id: 12718455 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id ED20DC433EF for ; Thu, 20 Jan 2022 09:03:00 +0000 (UTC) Received: from localhost ([::1]:59504 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nATLO-0007NJ-Le for qemu-devel@archiver.kernel.org; Thu, 20 Jan 2022 04:02:59 -0500 Received: from eggs.gnu.org ([209.51.188.92]:52676) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nASOS-0006u0-Uc; Thu, 20 Jan 2022 03:02:05 -0500 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:50551) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nASOQ-0005yi-4j; Thu, 20 Jan 2022 03:02:04 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 072775C01A2; Thu, 20 Jan 2022 03:01:59 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Thu, 20 Jan 2022 03:01:59 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=irrelevant.dk; h=cc:cc:content-transfer-encoding:date:date:from:from :in-reply-to:message-id:mime-version:reply-to:sender:subject :subject:to:to; s=fm2; bh=jmxXWMkosC9fPeNhqid7040e3vc4JvyB6UTFYo 1/DS4=; b=NI4ybHl8h5NYXuehypRCYWV+kIsGNhowcYsPW7pW3LcSsY8F7aFsRx YdcsveI5bpYn6EnWdHL5G8qaJJBw/7e2SFoX9W/NecU1/NR1o9T/ECexEewIzBjn sIw62UK4Jta4CKS/aRLLuPrhOZhc1uVplGSopyNipR7eEGnkV6jg2kU0zj3Cv08Q 5Z8U5Jvz26ZHH/eI9iKzCiU9UWEZjPuU1qBESP72itJInE4ViSj1HX1NPk8sxtPA 1Yj6Vo5HZ4cfqPoCfkBHBwBbM4wLml/mtpzdQcraLAtJ4zhZ2hhjxhvlCtiH5qks ss7lqQBfeImS/3CZwjJrGgCAnw2AAIlg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding:date:date :from:from:in-reply-to:message-id:mime-version:reply-to:sender :subject:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=jmxXWMkosC9fPeNhqid7040e3vc4J vyB6UTFYo1/DS4=; b=KVBXMpv+AiPKvFk/kL4j/T1+hvF5gbgDKu/JOFNcSTAZ8 //aVHroHzOcNC9bXVEe+PvpefBHPfpC6BhFJ2bFXhYSfJp1nqcwxLeIRqy86Bgoz ZPvPVa6wvT/GfzjRgs40yF1TpitAEP79Th+MwgPhC1XKXiyyxZtt68aBVqp7lOo0 xCeHPd/MGn46lNePxw7F9ert8A8jCpjh54757Q9Afv1UXB3NBnG5eDbohMgWQS9/ v1DUdPfhCIAXGEmu/DWVjQk7V2O8+7BhIEPUMD+dvR50vXCTZzVi8CgF4wNrZ9mZ aS9j6py9sSVBEmlIpVsTktpJiZtk71AYopP6JVuAw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrudejgdduudehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvufffkffoggfgsedtkeertdertddtnecuhfhrohhmpefmlhgruhhsucfl vghnshgvnhcuoehithhssehirhhrvghlvghvrghnthdrughkqeenucggtffrrghtthgvrh hnpeefveelvdeikeduueffteeggeefhedvffffjeeuueeludehvdegjeevjefhtdetheen ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehithhsse hirhhrvghlvghvrghnthdrughk X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 20 Jan 2022 03:01:57 -0500 (EST) From: Klaus Jensen To: qemu-devel@nongnu.org Subject: [PATCH] hw/nvme: fix CVE-2021-3929 Date: Thu, 20 Jan 2022 09:01:55 +0100 Message-Id: <20220120080155.227246-1-its@irrelevant.dk> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Received-SPF: pass client-ip=66.111.4.25; envelope-from=its@irrelevant.dk; helo=out1-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-block@nongnu.org, Klaus Jensen , Qiuhao Li , Klaus Jensen , Keith Busch , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" From: Klaus Jensen This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the device itself. This still allows DMA to MMIO regions of other devices (e.g. doing P2P DMA to the controller memory buffer of another NVMe device). Fixes: CVE-2021-3929 Reported-by: Qiuhao Li Signed-off-by: Klaus Jensen Reviewed-by: Keith Busch --- hw/nvme/ctrl.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c index 5f573c417b3d..9a79f6728867 100644 --- a/hw/nvme/ctrl.c +++ b/hw/nvme/ctrl.c @@ -357,6 +357,16 @@ static inline void *nvme_addr_to_pmr(NvmeCtrl *n, hwaddr addr) return memory_region_get_ram_ptr(&n->pmr.dev->mr) + (addr - n->pmr.cba); } +static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) +{ + hwaddr hi, lo; + + lo = n->bar0.addr; + hi = lo + int128_get64(n->bar0.size); + + return addr >= lo && addr < hi; +} + static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) { hwaddr hi = addr + size - 1; @@ -614,6 +624,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, hwaddr addr, size_t len) trace_pci_nvme_map_addr(addr, len); + if (nvme_addr_is_iomem(n, addr)) { + return NVME_DATA_TRAS_ERROR; + } + if (nvme_addr_is_cmb(n, addr)) { cmb = true; } else if (nvme_addr_is_pmr(n, addr)) {