Leon Romanovsky leon@kernel.org writes:
On Thu, Jan 19, 2023 at 07:06:32PM +0200, Alexander Shishkin wrote:
A malicious device can change its MSIX table size between the table ioremap() and subsequent accesses, resulting in a kernel page fault in pci_write_msg_msix().
To avoid this, cache the table size observed at the moment of table ioremap() and use the cached value. This, however, does not help drivers that peek at the PCIE_MSIX_FLAGS register directly.
Signed-off-by: Alexander Shishkin alexander.shishkin@linux.intel.com Reviewed-by: Mika Westerberg mika.westerberg@linux.intel.com Cc: stable@vger.kernel.org
drivers/pci/msi/api.c | 7 ++++++- drivers/pci/msi/msi.c | 2 +- include/linux/pci.h | 1 + 3 files changed, 8 insertions(+), 2 deletions(-)
I'm not security expert here, but not sure that this protects from anything.
- Kernel relies on working and not-malicious HW. There are gazillion ways
to cause crashes other than changing MSI-X.
This particular bug was preventing our fuzzing from going deeper into the code and reaching some more of the aforementioned gazillion bugs.
- Device can report large table size, kernel will cache it and
malicious device will reduce it back. It is not handled and will cause to kernel crash too.
How would that happen? If the device decides to have fewer vectors, they'll all still fit in the ioremapped MSIX table. The worst thing that can happen is 0xffffffff reads from the mmio space, which a device can do anyway. But that shouldn't trigger a page fault or otherwise crash. Or am I missing something?
Thanks, -- Alex