RE: [PATCH] iw_cxgb4: fix a missing-check bug

From: Steve Wise
Date: Sat Oct 20 2018 - 19:14:19 EST

Next message: Linda: "Editors 4"
Previous message: Al Viro: "Re: [PATCH] fs: ufs: Remove switch statement from ufs_set_de_type function"
In reply to: Wenwen Wang: "[PATCH] iw_cxgb4: fix a missing-check bug"
Next in thread: Wenwen Wang: "Re: [PATCH] iw_cxgb4: fix a missing-check bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey Wenwen,

> Subject: [PATCH] iw_cxgb4: fix a missing-check bug
>
> In c4iw_flush_hw_cq, the next CQE is acquired through t4_next_hw_cqe(). In
> t4_next_hw_cqe(), the CQE, i.e., 'cq->queue[cq->cidx]', is checked to see
> whether it is valid through t4_valid_cqe(). If it is valid, the address of
> the CQE is then saved to 'hw_cqe'. Later on, the CQE is copied to the
local
> memory in create_read_req_cqe(). The problem here is that the CQE is
> actually in a DMA region allocated by dma_alloc_coherent() in create_cq().
> Given that the device also has the permission to access the DMA region, a
> malicious device controlled by an attacker can modify the CQE in the DMA
> region after the check in t4_next_hw_cqe() but before the copy in
> create_read_req_cqe(). By doing so, the attacker can supply invalid CQE,
> which can cause undefined behavior of the kernel and introduce potential
> security risks.
>

If the dma device is malicious, couldn't it just dma some incorrect CQE but
still valid in the first place? I don't think this patch actually solves
the issue, and it forces a copy of a 64B CQE in a critical data io path.

So I must NACK this.

Thanks,

Steve.

Next message: Linda: "Editors 4"
Previous message: Al Viro: "Re: [PATCH] fs: ufs: Remove switch statement from ufs_set_de_type function"
In reply to: Wenwen Wang: "[PATCH] iw_cxgb4: fix a missing-check bug"
Next in thread: Wenwen Wang: "Re: [PATCH] iw_cxgb4: fix a missing-check bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]