On Wed, May 13, 2020 at 02:26:18PM -0700, Rajat Jain wrote: > * A driver could be double fetching the memory, causing it to do > different things than intended. E.g. > * A driver could be (negligently) passing some kernel addresses to the device. > * A driver could be using (for memory dereferencing, for e.g.) the > address/indices, given by the device, without enough validation. > * A driver may negligently be sharing the DMA memory with some other > driver data in the same PAGE. Since the IOMMU restrictions are PAGE > granular, this might give device access to that driver data. The Intel IOMMU driver has a solution for that problem as it has iommu based bounce-buffer dma ops. This means that a driver can't accidentially share sensitive information on the same page with a device. This idea should be generalized and made available for all iommu-drivers in the form of integrating it into the dma-iommu code, or have a separate generic dma-ops implementation, which does: 1) Give the device direct access to DMA buffers if they are IOMMU-page aligned (both start and size). 2) Use bounce buffering for DMA buffers that don't align with iommu page-size. This would at least eliminate this type of attack made possible by uncautious drivers. Regards, Joerg
