Re: [PATCH] scsi: esas2r: fix possible buffer overflow caused by bad DMA value in esas2r_process_fs_ioctl()

From: James Bottomley
Date: Sun Aug 02 2020 - 12:11:21 EST


On Sun, 2020-08-02 at 23:21 +0800, Jia-Ju Bai wrote:
> Because "fs" is mapped to DMA, its data can be modified at anytime by
> malicious or malfunctioning hardware. In this case, the check
> "if (fsc->command >= cmdcnt)" can be passed, and then "fsc->command"
> can be modified by hardware to cause buffer overflow.

This threat model seems to be completely bogus. If the device were
malicious it would have given the mailbox incorrect values a priori ...
it wouldn't give the correct value then update it. For most systems we
do assume correct operation of the device but if there's a worry about
incorrect operation, the usual approach is to guard the device with an
IOMMU which, again, would make this sort of fix unnecessary because the
IOMMU will have removed access to the buffer after the command
completed.

James