Skip to content

Fix multiple soundness issues #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix multiple soundness issues #103

wants to merge 1 commit into from

Conversation

DemiMarie
Copy link

@DemiMarie DemiMarie commented Jul 8, 2025
edited
Loading

Summary of the PR

vfio_syscall::map_dma causes the kernel to make an arbitrary address
accessible for DMA by a device the guest typically controls. This is
unsafe, as it can change memory that Rust assumes is immutable.

I found this through a review of Cloud Hypervisor, where I saw a
safe function that took a host address cast to u64 as an argument and
accessed that address. It turns out that this function was the source
of the unsoundness.

Requirements

Before submitting your PR, please make sure you addressed the following
requirements:

  • All commits in this PR have Signed-Off-By trailers (with
    git commit -s), and the commit message has max 60 characters for the
    summary and max 75 characters for each description line.
  • All added/changed functionality has a corresponding unit/integration
    test.
  • All added/changed public-facing functionality has entries in the "Upcoming
    Release" section of CHANGELOG.md (if no such section exists, please create one).
  • Any newly added unsafe code is properly documented.

@DemiMarie DemiMarie changed the title Fix multi Fix multiple soundness issues Jul 23, 2025
@jinankjain
Copy link
Collaborator

@DemiMarie can you please rebase and fix the clippy errors?

@DemiMarie
Mark VfioContainer::vfio_dma_map as unsafe
0819d25 
vfio_syscall::map_dma() accepts a u64 and tells the Linux kernel to make
the corresponding address accessible for DMA by a device.  Therefore,
passing bad u64 values can result in memory corruption or disclosure.
Change the u64 argument to a pointer to avoid confusion.  To reflect
that the caller must uphold invariants to prevent undefined behavior,
mark the API as unsafe.

I found this through a review of Cloud Hypervisor [1].  Some of its
internal APIs took a host took a host address cast to u64 as an argument
and accessed that address.  In one case, the u64 was passed directly to
vfio_syscall::map_dma().

[1]: cloud-hypervisor/cloud-hypervisor#7129

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jinankjain jinankjain jinankjain approved these changes

@jiangliu jiangliu Awaiting requested review from jiangliu jiangliu is a code owner

@likebreath likebreath Awaiting requested review from likebreath likebreath is a code owner

@liuw liuw Awaiting requested review from liuw liuw is a code owner

@rbradford rbradford Awaiting requested review from rbradford rbradford is a code owner

@russell-islam russell-islam Awaiting requested review from russell-islam russell-islam is a code owner

@sameo sameo Awaiting requested review from sameo sameo is a code owner

@sboeuf sboeuf Awaiting requested review from sboeuf sboeuf is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DemiMarie @jinankjain