[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] VT-d: avoid NULL deref on domain_context_mapping_one() error paths


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Wed, 6 Apr 2022 17:01:31 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DFay5JcOunxrFtlt5m5C+q0vtIX11QnfKQ750bGrSOs=; b=Lto9FTBJT8CnSoq1e/ERUWMxYg2l/ZaECNCeaFdncop1mjGcI75+T+o4ocJsdENQ/zTVDAAcCKhh6K9+YSmG24aedSEUsU1gYXGqeiDBvtBjajSW8cDieVvaYZm9jDDf4YkHrVHJ0tXXEv/zV7ALkoUd9tAMC80bnM5ts1Q83VN3A+lXHQL5fBXzGkCKHdcBDZFSItbyAbJzvcsKDGekwFVk3TYUAW+eyqq97LtAw/bu+mIdCaW78VYxlqQgya2kubsixHpictNVAhrAo2xzs67MkMXGC/B2y/Gv95NXtmJCs/oOvPRNyLywYzfjuWWYHzK5BTAB/3NgyRgOcKODQw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KzJmeY2jNzvE3yf4q1bg1WU4suGkOCt9U3IkRhLIV/r+7Xnvt0bKYRZq/BDgMgAdwATPXFitwVYaMs3GgGS9aAsUAELphquM4GC6nDmO6OLbfSWWsBw4LBUIXqVSA280bZpdYOQj3PjB9EvCbRgDCAYmWhyR6RWuNS/Okd/8mCeoqYxu5EzYVkcmhNAJwrIzoH/z6QfZtmzOeuA3QJRFa8JJ0EpZmyqFn2BLZ0zbb8xy1AMxpzuen7xkGWvjs8jFJ2p2UAgWMBQU+ftm7RPOlrh1BMq48EVqgKauNBKh4z+Ky4S/30GirJPqilDQIBDG9H5HofHW7He09voXDyP7eA==
  • Authentication-results: esa6.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "Kevin Tian" <kevin.tian@xxxxxxxxx>, Paul Durrant <paul@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "Julien Grall" <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Wed, 06 Apr 2022 15:01:49 +0000
  • Ironport-data: A9a23:YFjS46K+ELmvFZLcFE+RCpUlxSXFcZb7ZxGr2PjKsXjdYENS12YCz mQXWzjVOf2OMDOhKYh3bY3k/UwBvZaBn9Y1TlFlqX01Q3x08seUXt7xwmUcns+xwm8vaGo9s q3yv/GZdJhcokf0/0vrav67xZVF/fngqoDUUYYoAQgsA148IMsdoUg7wbRh3tY22YLR7z6l4 rseneWOYDdJ5BYsWo4kw/rrRMRH5amaVJsw5zTSVNgT1LPsvyB94KE3fMldG0DQUIhMdtNWc s6YpF2PEsE1yD92Yj+tuu6TnkTn2dc+NyDW4pZdc/DKbhSvOkXee0v0XRYRQR4/ttmHozx+4 OlIp8ygSlcqAqKPudYzXjtdCngvPIQTrdcrIVDn2SCS50jPcn+qyPRyFkAme4Yf/46bA0kXq 6ZecmpUKEne2aTmm9pXScE17ignBNPsM44F/Glp0BnSDOo8QICFSKLPjTNd9Glg3p4VRK2FD yYfQT9RdAvBJCwSA3EGKcM9wuixpSP7bBQN/Tp5ooJoujOOnWSdyoPFMsfRe9GMbdVYmACfv G2u13/iHhgQOdibyDyE2nGhnOnCmWX8Qo16PKK83u5nhhuU3GN7IAUfSF+TsfS/zEmkVLp3K UYZ5y4vpqga71GwQ5/2WBjQiG6JuFsQVsRdF8U+6RqR0ezE7gCBHG8GQzVdLts8u6ceRjE01 1nPg9LgAxRutqGYTTSW8bL8kN+pEXFLdylYP3ZCFFZbpYm4yG0usv7RZupmAv6ljY32JT6z4 gKkoQo7nuxCjOdegs1X4mv7qz6ro5HISCs86QPWQn+p42tFWWK1W2C7wQOFtKgdde51WnHE5 SFZwJbGsIjiGLnXzESwrPMx8KZFDhpvGBnVmhZREpYo7FxBEFbzLNkLsFmSyKqEW/vomAMFg meO4Wu9B7cJZRNGiJObharrVazGKoC6SLzYugj8NIYmX3SIXFbvENtSTUCRxXvxt0MnjLsyP 5yWGe71UypLUPQ7nGrmF7hGuVPO+szY7TmNLXwc5075uYdymVbPEetVWLdwRr5RAFy4TPX9r I8EapriJ+R3W+zieCjHmbP/3nhRRUXX8ave8pQNHsbae1IOMDh4V5f5nONwE6Q4zv89vrqZo RmAtrpwlQOXaYvvcl7RNBiOqdrHAP5CkJ7MFXd1Zwz1hCF/P93HAWV2X8JfQITLPddLlJZcZ /IEZ9+BErJITDHG8C4adp7zsMppcxHDuO5EF3TNjOQXF3K4ezH0xw==
  • Ironport-hdrordr: A9a23:EmJt9q065uLt8mmyehFFkgqjBLYkLtp133Aq2lEZdPUzSL3+qy nOpoV+6faQsl0ssR4b9exoVJPufZq+z/5ICOsqU4tKNTOO0AHEEGgI1+rf6gylNyri9vNMkY dMGpIObeEY1GIK7voSNjPIceod/A==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Apr 06, 2022 at 04:07:24PM +0200, Jan Beulich wrote:
> On 06.04.2022 15:36, Roger Pau Monné wrote:
> > On Wed, Apr 06, 2022 at 02:24:32PM +0200, Jan Beulich wrote:
> >> First there's a printk() which actually wrongly uses pdev in the first
> >> place: We want to log the coordinates of the (perhaps fake) device
> >> acted upon, which may not be pdev.
> >>
> >> Then it was quite pointless for eb19326a328d ("VT-d: prepare for per-
> >> device quarantine page tables (part I)") to add a domid_t parameter to
> >> domain_context_unmap_one(): It's only used to pass back here via
> >> me_wifi_quirk() -> map_me_phantom_function(). Drop the parameter again.
> >>
> >> Finally there's the invocation of domain_context_mapping_one(), which
> >> needs to be passed the correct domain ID. Avoid taking that path when
> >> pdev is NULL and the quarantine state is what would need restoring to.
> >> This means we can't security-support PCI devices with RMRRs (if such
> >> exist in practice) any longer.
> >>
> >> Fixes: 8f41e481b485 ("VT-d: re-assign devices directly")
> >> Fixes: 14dd241aad8a ("IOMMU/x86: use per-device page tables for 
> >> quarantining")
> >> Coverity ID: 1503784
> >> Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> >>
> >> --- a/SUPPORT.md
> >> +++ b/SUPPORT.md
> >> @@ -750,6 +750,10 @@ However, this feature can still confer s
> >>  when used to remove drivers and backends from domain 0
> >>  (i.e., Driver Domains).
> >>  
> >> +On VT-d (Intel hardware) passing through plain PCI (or PCI-X) devices
> >> +when they have associated Reserved Memory Regions (RMRRs)
> >> +is not security supported, if such a combination exists in the first 
> >> place.
> > 
> > Hm, I think this could be confusing from a user PoV.  It's my
> > understanding you want to differentiate between DEV_TYPE_PCIe_ENDPOINT
> > and DEV_TYPE_PCI device types, so maybe we could use:
> > 
> > "On VT-d (Intel hardware) passing through non PCI Express devices with
> > associated Reserved Memory Regions (RMRRs) is not supported."
> > 
> > AFAICT domain_context_mapping will already prevent this from happening
> > by returning -EOPNOTSUPP (see the DEV_TYPE_PCI case handling).
> 
> Hmm. I did look at that code while writing the patch, but I didn't
> draw the same conclusion. I'd like to tie the security support
> statement to what could technically be made work. IOW I don't like
> to say "not supported"; I'd like to stick to "not security
> supported", which won't change even if that -EOPNOTSUPP path would
> be replaced by a proper implementation.

My preference for using 'not supported' was simply so that users don't
need to worry whether their use-case fails in this category: Xen will
simply reject the operation in the first place.

Otherwise users might wonder whether some of the devices they are
passing through are security supported or not (lacking proper
information about how to check whether a device is PCI, PCI-X or PCIe
and whether it has associated RMRR regions).

I understand your worry here, but I do think we should aim to make
this document as easy to parse as possible for users, and hence I
wonder whether your proposed addition will cause unneeded confusion
because that use-case is not allowed by the hypervisor in the first
place.

> Even adding a sentence to
> say this doesn't even work at present would seem to me to go too
> far: Such a sentence would easily be forgotten if the situation
> changed. But I'd be willing to add such an auxiliary statement as
> a compromise.
> 
> As to "plain PCI (or PCI-X)" vs "non PCI Express" - while I prefer
> to avoid a negation there, I'd be okay to switch if that's deemed
> better for potential readers.

Maybe it would be best to simply expand the comment before the RMRR
check in domain_context_mapping() to note that removing the check will
have security implications?

> >> @@ -1601,9 +1601,13 @@ int domain_context_mapping_one(
> >>  
> >>      if ( rc )
> >>      {
> >> -        if ( !prev_dom )
> >> -            ret = domain_context_unmap_one(domain, iommu, bus, devfn,
> >> -                                           DEVICE_DOMID(domain, pdev));
> >> +        if ( !prev_dom ||
> >> +             /*
> >> +              * Unmapping here means PCI devices with RMRRs (if such 
> >> exist)
> >> +              * will cause problems if such a region was actually 
> >> accessed.
> >> +              */
> >> +             (prev_dom == dom_io && !pdev) )
> > 
> > Maybe I'm reading this wrong, but plain PCI devices with RMRRs are
> > only allowed to be assigned to the hardware domain, and won't be able
> > to be reassigned afterwards.  It would be fine to unmap
> > unconditionally if !prev_dom or !pdev?  As calls with !pdev only
> > happening for phantom functions or bridge devices.
> 
> Like with the support statement, I'd prefer this code to be independent
> of the (perhaps temporary) decision to not allow certain assignments.

I was just saying because it would make the code easier IMO, but maybe
it doesn't matter that much.

The comment however should also be adjusted to mention that refers to
legacy DEV_TYPE_PCI type devices ('PCI devices with RMRRs' is too
unspecific IMO).

> Since you mention phantom functions: Aiui their mapping operations will
> be done with a non-NULL pdev, unless of course they're phantom functions
> associated with a non-PCIe device (in which case the same secondary
> mappings with a NULL pdev would occur - imo pointlessly, as it would
> be the same bridge and the same secondary bus as for the actual device;
> I'm under the impression that error handling may not work properly when
> such redundant mappings occur).

The redundant mapping of the bridges would be fine as prev_dom ==
domain in that case, and cannot fail?

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.