On Wed, Sep 25, 2024 at 12:03 PM Michael Tokarev <m...@tls.msk.ru> wrote: > > 19.08.2024 16:54, Mattias Nissler wrote: > > When DMA memory can't be directly accessed, as is the case when > > running the device model in a separate process without shareable DMA > > file descriptors, bounce buffering is used. > > > > It is not uncommon for device models to request mapping of several DMA > > regions at the same time. Examples include: > > * net devices, e.g. when transmitting a packet that is split across > > several TX descriptors (observed with igb) > > * USB host controllers, when handling a packet with multiple data TRBs > > (observed with xhci) > > > > Previously, qemu only provided a single bounce buffer per AddressSpace > > and would fail DMA map requests while the buffer was already in use. In > > turn, this would cause DMA failures that ultimately manifest as hardware > > errors from the guest perspective. > > > > This change allocates DMA bounce buffers dynamically instead of > > supporting only a single buffer. Thus, multiple DMA mappings work > > correctly also when RAM can't be mmap()-ed. > > > > The total bounce buffer allocation size is limited individually for each > > AddressSpace. The default limit is 4096 bytes, matching the previous > > maximum buffer size. A new x-max-bounce-buffer-size parameter is > > provided to configure the limit for PCI devices. > > So, the issue has now become CVE-2024-8612 (information leak), with this > commit (v9.1.0-134-g637b0aa139) being the fix.
Interesting. IIUC, this is triggered by device implementations calling dma_memory_unmap with an incorrect size parameter as provided by a hostile guest. Shouldn't the device implementations be fixed to validate the parameter as well? Maybe this has already happened? It would seem the more targeted fix to me. > > Should we back-port it to previous stable releases of qemu? > (it applies to 9.1 but not to 9.0, and I haven't tested it even in 9.1. > If anything it needs some work for 9.0 and before) FWIW, I've been running with earlier variants of this since at least 8.0.50, so a backport shouldn't be hard. Note that if we decide to backport, we should also include "mac_dbdma: Remove leftover `dma_memory_unmap` calls", which fixes a bug uncovered in mac_dbdma uncovered by the concurrent bounce buffers change. > > Thanks, > > /mjt
