• Martin Radev's avatar
    swiotlb: Validate bounce size in the sync/unmap path · daf9514f
    Martin Radev authored
    The size of the buffer being bounced is not checked if it happens
    to be larger than the size of the mapped buffer. Because the size
    can be controlled by a device, as it's the case with virtio devices,
    this can lead to memory corruption.
    
    This patch saves the remaining buffer memory for each slab and uses
    that information for validation in the sync/unmap paths before
    swiotlb_bounce is called.
    
    Validating this argument is important under the threat models of
    AMD SEV-SNP and Intel TDX, where the HV is considered untrusted.
    Signed-off-by: default avatarMartin Radev <martin.b.radev@gmail.com>
    Signed-off-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    daf9514f
swiotlb.c 21.8 KB