On Thu, 2024-11-07 at 22:16 +0800, Qiu-ji Chen wrote: > In line 1854 of the file esas2r_ioctl.c, the function > esas2r_process_vda_ioctl() is called with the parameter vi being > assigned the value of a->vda_buffer. On line 1892, a->vda_buffer is > stored in DMA memory with the statement a->vda_buffer = > dma_alloc_coherent(&a->pcid->dev, ..., indicating that the > parameter vi passed to the function is also stored in DMA memory. > This suggests that the parameter vi could be altered at any time by > malicious hardware. Absent a specific threat (such as TPM with an interposer) this isn't a vector the kernel protects against (we have to believe what hardware says unless we know it to be specifically buggy about something). However, even supposing a PCI Interposer were considered a threat, the answer now is hardware based: SPDM/PCI-IDE. Regards, James
