Skip to content

Fix multiple soundness issues #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix multiple soundness issues #103

wants to merge 2 commits into from

Conversation

DemiMarie
Copy link

@DemiMarie DemiMarie commented Jul 8, 2025
edited
Loading

Summary of the PR

vfio_syscall::map_dma causes the kernel to make an arbitrary address
accessible for DMA by a device the guest typically controls. This is
unsafe, as it can change memory that Rust assumes is immutable.

I found this through a review of Cloud Hypervisor, where I saw a
safe function that took a host address cast to u64 as an argument and
accessed that address. It turns out that this function was the source
of the unsoundness.

Requirements

Before submitting your PR, please make sure you addressed the following
requirements:

  • All commits in this PR have Signed-Off-By trailers (with
    git commit -s), and the commit message has max 60 characters for the
    summary and max 75 characters for each description line.
  • All added/changed functionality has a corresponding unit/integration
    test.
  • All added/changed public-facing functionality has entries in the "Upcoming
    Release" section of CHANGELOG.md (if no such section exists, please create one).
  • Any newly added unsafe code is properly documented.

@DemiMarie
Mark VfioContainer::vfio_dma_map as unsafe
b60a717 
vfio_syscall::map_dma causes the kernel to make an arbitrary address
accessible for DMA by a device the guest typically controls.  This is
unsafe, as it can change memory that Rust assumes is immutable.

I found this through a review of Cloud Hypervisor [1], where I saw a
safe function that took a host address cast to u64 as an argument and
accessed that address.  It turns out that this function was the source
of the unsoundness.

[1]: cloud-hypervisor/cloud-hypervisor#7129

Signed-off-by: Demi Marie Obenour <[email protected]>
@DemiMarie
Do not rely on GuestMemory to be well-behaved
b684b88 
GuestMemory is a safe trait, so it is permissible for
GuestMemory::get_host_address() to return a garbage pointer that is
obviously unsafe to use.  Instead, use GuestMemory::get_slice(), which
returns a VolatileSlice that always points to valid memory.

See rust-vmm/vm-memory#332 for details.

Signed-off-by: Demi Marie Obenour <[email protected]>
@DemiMarie DemiMarie changed the title Fix multi Fix multiple soundness issues Jul 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiangliu jiangliu Awaiting requested review from jiangliu jiangliu is a code owner

@jinankjain jinankjain Awaiting requested review from jinankjain jinankjain is a code owner

@likebreath likebreath Awaiting requested review from likebreath likebreath is a code owner

@liuw liuw Awaiting requested review from liuw liuw is a code owner

@rbradford rbradford Awaiting requested review from rbradford rbradford is a code owner

@russell-islam russell-islam Awaiting requested review from russell-islam russell-islam is a code owner

@sameo sameo Awaiting requested review from sameo sameo is a code owner

@sboeuf sboeuf Awaiting requested review from sboeuf sboeuf is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@DemiMarie