Fix CVE-2019-3882 (rhbz 1689426 1695571)

author: Justin M. Forbes <jforbes@fedoraproject.org> 2019-04-03 08:27:39 -0500
committer: Justin M. Forbes <jforbes@fedoraproject.org> 2019-04-03 08:27:39 -0500
commit: d6c48c0f6752a1427879e145fcdee880d09dd01b (patch)
tree: f4942367c77bf94c1be8167edf598c4b077d5fa2
parent: 4e4c21031481e606c686fcb6cb2994b0199b1170 (diff)
download: kernel-d6c48c0f6752a1427879e145fcdee880d09dd01b.tar.gz
kernel-d6c48c0f6752a1427879e145fcdee880d09dd01b.tar.xz
kernel-d6c48c0f6752a1427879e145fcdee880d09dd01b.zip
2 files changed, 136 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec
index af7f46ef9..6e4592f1e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -614,6 +614,9 @@ Patch515: nfsv4.1-avoid-false-retries.patch
 # CVE-2019-9857 rhbz 1694758 1694759
 Patch516: 0001-inotify-Fix-fsnotify_mark-refcount-leak-in-inotify_u.patch
 
+# CVE-2019-3882 rhbz 1689426 1695571
+Patch517: vfio-type1-limit-dma-mappings-per-container.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1887,6 +1890,9 @@ fi
 #
 #
 %changelog
+* Wed Apr 03 2019 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2019-3882 (rhbz 1689426 1695571)
+
 * Mon Apr 01 2019 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix CVE-2019-9857 (rhbz 1694758 1694759)
 
diff --git a/vfio-type1-limit-dma-mappings-per-container.patch b/vfio-type1-limit-dma-mappings-per-container.patch
new file mode 100644
index 000000000..da814fa0e
--- /dev/null
+++ b/vfio-type1-limit-dma-mappings-per-container.patch
@@ -0,0 +1,130 @@
+From mboxrd@z Thu Jan  1 00:00:00 1970
+Return-Path: <SRS0=/BGd=SD=vger.kernel.org=linux-kernel-owner@kernel.org>
+X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
+	aws-us-west-2-korg-lkml-1.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
+	INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham
+	autolearn_force=no version=3.4.0
+Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
+	by smtp.lore.kernel.org (Postfix) with ESMTP id 5BCBAC43381
+	for <linux-kernel@archiver.kernel.org>; Mon,  1 Apr 2019 20:16:59 +0000 (UTC)
+Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
+	by mail.kernel.org (Postfix) with ESMTP id 31C4F20896
+	for <linux-kernel@archiver.kernel.org>; Mon,  1 Apr 2019 20:16:59 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S1726867AbfDAUQ5 (ORCPT
+        <rfc822;linux-kernel@archiver.kernel.org>);
+        Mon, 1 Apr 2019 16:16:57 -0400
+Received: from mx1.redhat.com ([209.132.183.28]:52924 "EHLO mx1.redhat.com"
+        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
+        id S1726284AbfDAUQ5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
+        Mon, 1 Apr 2019 16:16:57 -0400
+Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
+        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
+        (No client certificate requested)
+        by mx1.redhat.com (Postfix) with ESMTPS id 6BC20307D933;
+        Mon,  1 Apr 2019 20:16:57 +0000 (UTC)
+Received: from gimli.home (ovpn-116-99.phx2.redhat.com [10.3.116.99])
+        by smtp.corp.redhat.com (Postfix) with ESMTP id AF2DC104C53F;
+        Mon,  1 Apr 2019 20:16:52 +0000 (UTC)
+Subject: [PATCH] vfio/type1: Limit DMA mappings per container
+From:   Alex Williamson <alex.williamson@redhat.com>
+To:     alex.williamson@redhat.com
+Cc:     kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
+        eric.auger@redhat.com, cohuck@redhat.com
+Date:   Mon, 01 Apr 2019 14:16:52 -0600
+Message-ID: <155414977872.12780.13728555131525362206.stgit@gimli.home>
+User-Agent: StGit/0.19-dirty
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 7bit
+X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
+X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Mon, 01 Apr 2019 20:16:57 +0000 (UTC)
+Sender: linux-kernel-owner@vger.kernel.org
+Precedence: bulk
+List-ID: <linux-kernel.vger.kernel.org>
+X-Mailing-List: linux-kernel@vger.kernel.org
+Archived-At: <https://lore.kernel.org/lkml/155414977872.12780.13728555131525362206.stgit@gimli.home/>
+List-Archive: <https://lore.kernel.org/lkml/>
+List-Post: <mailto:linux-kernel@vger.kernel.org>
+
+Memory backed DMA mappings are accounted against a user's locked
+memory limit, including multiple mappings of the same memory.  This
+accounting bounds the number of such mappings that a user can create.
+However, DMA mappings that are not backed by memory, such as DMA
+mappings of device MMIO via mmaps, do not make use of page pinning
+and therefore do not count against the user's locked memory limit.
+These mappings still consume memory, but the memory is not well
+associated to the process for the purpose of oom killing a task.
+
+To add bounding on this use case, we introduce a limit to the total
+number of concurrent DMA mappings that a user is allowed to create.
+This limit is exposed as a tunable module option where the default
+value of 64K is expected to be well in excess of any reasonable use
+case (a large virtual machine configuration would typically only make
+use of tens of concurrent mappings).
+
+This fixes CVE-2019-3882.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+---
+ drivers/vfio/vfio_iommu_type1.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index 73652e21efec..7fc8fd7d4dc7 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -58,12 +58,18 @@ module_param_named(disable_hugepages,
+ MODULE_PARM_DESC(disable_hugepages,
+ 		 "Disable VFIO IOMMU support for IOMMU hugepages.");
+ 
++static int dma_entry_limit __read_mostly = U16_MAX;
++module_param_named(dma_entry_limit, dma_entry_limit, int, 0644);
++MODULE_PARM_DESC(dma_entry_limit,
++		 "Maximum number of user DMA mappings per container (65535).");
++
+ struct vfio_iommu {
+ 	struct list_head	domain_list;
+ 	struct vfio_domain	*external_domain; /* domain for external user */
+ 	struct mutex		lock;
+ 	struct rb_root		dma_list;
+ 	struct blocking_notifier_head notifier;
++	atomic_t		dma_avail;
+ 	bool			v2;
+ 	bool			nesting;
+ };
+@@ -836,6 +842,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma)
+ 	vfio_unlink_dma(iommu, dma);
+ 	put_task_struct(dma->task);
+ 	kfree(dma);
++	atomic_inc(&iommu->dma_avail);
+ }
+ 
+ static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu)
+@@ -1081,8 +1088,14 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
+ 		goto out_unlock;
+ 	}
+ 
++	if (!atomic_add_unless(&iommu->dma_avail, -1, 0)) {
++		ret = -ENOSPC;
++		goto out_unlock;
++	}
++
+ 	dma = kzalloc(sizeof(*dma), GFP_KERNEL);
+ 	if (!dma) {
++		atomic_inc(&iommu->dma_avail);
+ 		ret = -ENOMEM;
+ 		goto out_unlock;
+ 	}
+@@ -1583,6 +1596,7 @@ static void *vfio_iommu_type1_open(unsigned long arg)
+ 
+ 	INIT_LIST_HEAD(&iommu->domain_list);
+ 	iommu->dma_list = RB_ROOT;
++	atomic_set(&iommu->dma_avail, dma_entry_limit);
+ 	mutex_init(&iommu->lock);
+ 	BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier);
+ 
+
+
author	Justin M. Forbes <jforbes@fedoraproject.org>	2019-04-03 08:27:39 -0500
committer	Justin M. Forbes <jforbes@fedoraproject.org>	2019-04-03 08:27:39 -0500
commit	d6c48c0f6752a1427879e145fcdee880d09dd01b (patch)
tree	f4942367c77bf94c1be8167edf598c4b077d5fa2
parent	4e4c21031481e606c686fcb6cb2994b0199b1170 (diff)
download	kernel-d6c48c0f6752a1427879e145fcdee880d09dd01b.tar.gz kernel-d6c48c0f6752a1427879e145fcdee880d09dd01b.tar.xz kernel-d6c48c0f6752a1427879e145fcdee880d09dd01b.zip