qemu-block
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 0/2] hw/nvme: Fix CVE-2021-3929 (DMA re-entrancy exploitation

From: Klaus Jensen
Subject: Re: [PATCH 0/2] hw/nvme: Fix CVE-2021-3929 (DMA re-entrancy exploitation)
Date: Thu, 16 Dec 2021 20:55:47 +0100 
On Dec 16 20:13, Klaus Jensen wrote:
> On Dec 16 18:55, Philippe Mathieu-Daudé wrote:
> > Now that the DMA API allow passing MemTxAttrs argument and
> > returning MemTxResult (with MEMTX_BUS_ERROR in particular),
> > we can restrict the NVMe controller to memories (prohibitting
> > accesses by the DMA engine to devices) and block yet another
> > DMA re-entrancy attack.
> > 
> > I'll will try to get a reproducer (and authorization to commit
> > it as qtest) from the reporter.
> > 
> > Based-on: <20211216123558.799425-1-philmd@redhat.com>
> > "hw: Have DMA API take MemTxAttrs arg & propagate MemTxResult (part 2)"
> > 20211216123558.799425-1-philmd@redhat.com/">https://lore.kernel.org/qemu-devel/20211216123558.799425-1-philmd@redhat.com/
> > 
> > Philippe Mathieu-Daudé (2):
> >   hw/nvme/ctrl: Do not ignore DMA access errors
> >   hw/nvme/ctrl: Prohibit DMA accesses to devices (CVE-2021-3929)
> > 
> >  hw/nvme/ctrl.c | 9 +++++----
> >  1 file changed, 5 insertions(+), 4 deletions(-)
> > 
> 
> LGTM.
> 
> Reviewed-by: Klaus Jensen <k.jensen@samsung.com>

Ugh. Jumped the gun here.

This all looked fine, but since this prohibits DMA to other devices it
breaks DMA'ing to a controller memory buffer on another device, which is
a used feature of some setups.

I think we need to fix this like e1000 did?

Attachment: signature.asc
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]