Re: [PATCH v4 3/9] swiotlb: Zero out bounce buffer for untrusted device

From: Konrad Rzeszutek Wilk
Date: Tue Jun 11 2019 - 21:10:20 EST


On Wed, Jun 12, 2019 at 08:43:40AM +0800, Lu Baolu wrote:
> Hi Konrad,
>
> Thanks a lot for your reviewing.
>
> On 6/10/19 11:45 PM, Konrad Rzeszutek Wilk wrote:
> > On Mon, Jun 03, 2019 at 09:16:14AM +0800, Lu Baolu wrote:
> > > This is necessary to avoid exposing valid kernel data to any
> > > milicious device.
> >
> > malicious
>
> Yes, thanks.
>
> >
> > >
> > > Suggested-by: Christoph Hellwig <hch@xxxxxx>
> > > Signed-off-by: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>
> > > ---
> > > kernel/dma/swiotlb.c | 6 ++++++
> > > 1 file changed, 6 insertions(+)
> > >
> > > diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c
> > > index f956f785645a..ed41eb7f6131 100644
> > > --- a/kernel/dma/swiotlb.c
> > > +++ b/kernel/dma/swiotlb.c
> > > @@ -35,6 +35,7 @@
> > > #include <linux/scatterlist.h>
> > > #include <linux/mem_encrypt.h>
> > > #include <linux/set_memory.h>
> > > +#include <linux/pci.h>
> > > #ifdef CONFIG_DEBUG_FS
> > > #include <linux/debugfs.h>
> > > #endif
> > > @@ -560,6 +561,11 @@ phys_addr_t swiotlb_tbl_map_single(struct device *hwdev,
> > > */
> > > for (i = 0; i < nslots; i++)
> > > io_tlb_orig_addr[index+i] = orig_addr + (i << IO_TLB_SHIFT);
> > > +
> > > + /* Zero out the bounce buffer if the consumer is untrusted. */
> > > + if (dev_is_untrusted(hwdev))
> > > + memset(phys_to_virt(tlb_addr), 0, alloc_size);
> >
> > What if the alloc_size is less than a PAGE? Should this at least have ALIGN or such?
>
> It's the consumer (iommu subsystem) who requires this to be page
> aligned. For swiotlb, it just clears out all data in the allocated
> bounce buffer.

I am thinking that the if you don't memset the full page the malicious hardware could read stale date from the rest of the page
that hasn't been cleared?

>
> Best regards,
> Baolu
>
> >
> > > +
> > > if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) &&
> > > (dir == DMA_TO_DEVICE || dir == DMA_BIDIRECTIONAL))
> > > swiotlb_bounce(orig_addr, tlb_addr, mapping_size, DMA_TO_DEVICE);
> > > --
> > > 2.17.1
> > >
> >