[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 hurd] pci-arbiter: Fix long standing bug with PCI access
|
From: |
Damien Zammit |
|
Subject: |
[PATCH v2 hurd] pci-arbiter: Fix long standing bug with PCI access |
|
Date: |
Sat, 28 Dec 2024 07:35:52 +0000 |
Proxied memory was not rounded up to page size, causing
error with vm_map'ing the underlying memory.
WARNING: Assumes pci memory resources are at least page aligned.
If not, this will expose part of next resource to userspace.
---
pci-arbiter/netfs_impl.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/pci-arbiter/netfs_impl.c b/pci-arbiter/netfs_impl.c
index 4bb5c97a..82e618a7 100644
--- a/pci-arbiter/netfs_impl.c
+++ b/pci-arbiter/netfs_impl.c
@@ -577,6 +577,7 @@ get_filemap_region (struct node *node, vm_prot_t prot)
vm_prot_t max_prot;
size_t reg_num;
struct pci_mem_region *region;
+ size_t rounded_size;
/* Get region info */
reg_num =
@@ -592,12 +593,17 @@ get_filemap_region (struct node *node, vm_prot_t prot)
if (err)
goto error;
+ /* WARNING: this rounds up the proxied region to a whole page.
+ * This may be a security risk, but is the only way to provide access
+ * to the final page of the memory region */
+ rounded_size = round_page (region->size);
+
/* Create a new memory object proxy with the required protection */
max_prot = (VM_PROT_READ | VM_PROT_WRITE) & prot;
err =
vm_region_create_proxy (mach_task_self (),
(vm_address_t) node->nn->ln->region_maps[reg_num],
- max_prot, region->size, &proxy);
+ max_prot, rounded_size, &proxy);
if (err)
goto error;
--
2.45.2
- [PATCH v2 hurd] pci-arbiter: Fix long standing bug with PCI access,
Damien Zammit <=