• Alex Williamson's avatar
    vfio-pci: Invalidate mmaps and block MMIO access on disabled memory · abafbc55
    Alex Williamson authored
    Accessing the disabled memory space of a PCI device would typically
    result in a master abort response on conventional PCI, or an
    unsupported request on PCI express.  The user would generally see
    these as a -1 response for the read return data and the write would be
    silently discarded, possibly with an uncorrected, non-fatal AER error
    triggered on the host.  Some systems however take it upon themselves
    to bring down the entire system when they see something that might
    indicate a loss of data, such as this discarded write to a disabled
    memory space.
    
    To avoid this, we want to try to block the user from accessing memory
    spaces while they're disabled.  We start with a semaphore around the
    memory enable bit, where writers modify the memory enable state and
    must be serialized, while readers make use of the memory region and
    can access in parallel.  Writers include both direct manipulation via
    the command register, as well as any reset path where the internal
    mechanics of the reset may both explicitly and implicitly disable
    memory access, and manipulation of the MSI-X configuration, where the
    MSI-X vector table resides in MMIO space of the device.  Readers
    include the read and write file ops to access the vfio device fd
    offsets as well as memory mapped access.  In the latter case, we make
    use of our new vma list support to zap, or invalidate, those memory
    mappings in order to force them to be faulted back in on access.
    
    Our semaphore usage will stall user access to MMIO spaces across
    internal operations like reset, but the user might experience new
    behavior when trying to access the MMIO space while disabled via the
    PCI command register.  Access via read or write while disabled will
    return -EIO and access via memory maps will result in a SIGBUS.  This
    is expected to be compatible with known use cases and potentially
    provides better error handling capabilities than present in the
    hardware, while avoiding the more readily accessible and severe
    platform error responses that might otherwise occur.
    
    Fixes: CVE-2020-12888
    Reviewed-by: default avatarPeter Xu <peterx@redhat.com>
    Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
    abafbc55
vfio_pci_rdwr.c 8.41 KB