Hi Phil, On 09/03/20 13:08, Philippe Mathieu-Daudé wrote: > Hi, > > I'm not suppose to work on this but I couldn't sleep so kept > wondering about this problem the whole night and eventually > woke up to write this quickly, so comments are scarce, sorry. > > The first part is obvious anyway, simply pass MemTxAttrs argument. > > The main patch is: > "exec/memattrs: Introduce MemTxAttrs::direct_access field". > This way we can restrict accesses to ROM/RAM by setting the > 'direct_access' field. Illegal accesses return MEMTX_BUS_ERROR. > > Next patch restrict PCI DMA accesses by setting the direct_access > field. > > Finally we add an assertion for any DMA write access to indirect > memory to kill a class of bug recently found by Alexander while > fuzzing.
I've briefly checked LP#1886362 and LP#1888606, and as much as I understand them, they seem tricky. It's not clear how we can recognize long chains of DMA-to-MMIO transfers, and interrupt them. Peter mentions an approach at the end of <https://bugs.launchpad.net/qemu/+bug/1886362/comments/5> that I believe to understand, but -- according to him -- it seems too much work. And, I'm not too familiar with the qemu memory model, so I don't have comments on your solution. Maybe we can have some kind of "depth counter" for such recursive DMA-to-MMIO calls (even across multiple device models), and put an artificial limit on them, such as 5 or 10. This could be controlled on the QEMU command line perhaps? I don't think such chains work unto arbitrary depths on physical hardware either. Sorry that I don't have any sensible comments here. I hope I didn't misunderstand the problem at least. Laszlo