[PATCH 1/1] iommu/arm-smmu: forbid userspace IO devices access memory through SMMU by default

Will Deacon will.deacon at arm.com
Thu Nov 20 02:13:41 PST 2014


On Thu, Nov 20, 2014 at 09:57:01AM +0000, Zhen Lei wrote:
> It's dangerous to set pte with ARM_SMMU_PTE_AP_UNPRIV. A hacker can use any
> devices running at userspace to access the memory which originally mapped for
> kernel devices, suppose they have the same StreamID. The userspace devices
> should through vfio to dynamic create mapping.

I don't fully understand the problem here. vfio will create a set of private
page tables for the container, so I can't see why the privilege really
matters, given that the whole thing is sandboxed anyway.

Furthermore, if we change the default to PRIV, then it will break for any
devices wired to emit unprivileged transactions only.

Will

> 
> Signed-off-by: Zhen Lei <thunder.leizhen at huawei.com>
> ---
>  drivers/iommu/arm-smmu.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
> index 60558f7..e31517b 100644
> --- a/drivers/iommu/arm-smmu.c
> +++ b/drivers/iommu/arm-smmu.c
> @@ -92,7 +92,7 @@
>  #define ARM_SMMU_PTE_CONT_MASK		(~(ARM_SMMU_PTE_CONT_SIZE - 1))
> 
>  /* Stage-1 PTE */
> -#define ARM_SMMU_PTE_AP_UNPRIV		(((pteval_t)1) << 6)
> +#define ARM_SMMU_PTE_AP_PRIV		(((pteval_t)0) << 6)
>  #define ARM_SMMU_PTE_AP_RDONLY		(((pteval_t)2) << 6)
>  #define ARM_SMMU_PTE_ATTRINDX_SHIFT	2
>  #define ARM_SMMU_PTE_nG			(((pteval_t)1) << 11)
> @@ -1296,7 +1296,7 @@ static int arm_smmu_alloc_init_pte(struct arm_smmu_device *smmu, pmd_t *pmd,
>  	}
> 
>  	if (stage == 1) {
> -		pteval |= ARM_SMMU_PTE_AP_UNPRIV | ARM_SMMU_PTE_nG;
> +		pteval |= ARM_SMMU_PTE_AP_PRIV | ARM_SMMU_PTE_nG;
>  		if (!(prot & IOMMU_WRITE) && (prot & IOMMU_READ))
>  			pteval |= ARM_SMMU_PTE_AP_RDONLY;
> 
> --
> 1.8.0
> 
> 
> 



More information about the linux-arm-kernel mailing list