Conversation

lwn.net/SubscriberLink … 'Bounce buffers for untrusted devices' An approach like this should be done for all devices, not only 'untrusted' ones, since internal hardware can be compromised by an attacker or even malicious from the start. Recent thread:

Quote Tweet

Rich Felker

@RichFelker

Apr 18, 2019

Replying to @vyodaiken @billhuey and 6 others

Sharing actual list (including access to pointers) with hardware is unsafe, bogus to do. Sharing the data buffer space does not require any complex data structures. Storage for that should be allocated and managed by OS infrastructure outside of the driver.

Quote Tweet

Replying to @RichFelker @vyodaiken and 6 others

The driver can read and sanity check that kind of data. The Linux kernel has a lot of drivers that are insane enough to even put function pointers inside areas where the hardware has DMA access. Linux screws up IOMMU isolation quite a bit even without taking bugs into account.

3:02 PM · Apr 27, 2019Twitter Web Client

Replying to

Quote Tweet

Replying to @DanielMicay @RichFelker and 7 others

As in never directly use that kind of data without first copying it out and sanity checking the copy. It's a common anti-pattern in the drivers to trust the hardware completely or to do racy checks where they sanity check it but then use the memory the driver can write to.