xen-devel

[Top] [All Lists]

[Xen-devel] Re: [PATCH 5/6] trace: fix security issues

from [Jan Beulich]

[Permanent Link][Original]

To:	"George Dunlap" <dunlapg@xxxxxxxxx>
Subject:	[Xen-devel] Re: [PATCH 5/6] trace: fix security issues
From:	"Jan Beulich" <JBeulich@xxxxxxxxxx>
Date:	Thu, 01 Jul 2010 09:04:21 +0100
Cc:	xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Thu, 01 Jul 2010 01:04:52 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<AANLkTikdGxPR1c7RIfRdZQEcqfsiWSe2waMjOlbVsbli@xxxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<4C2A2F710200007800008A90@xxxxxxxxxxxxxxxxxx> <AANLkTikdGxPR1c7RIfRdZQEcqfsiWSe2waMjOlbVsbli@xxxxxxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx

>>> On 30.06.10 at 18:58, George Dunlap <dunlapg@xxxxxxxxx> wrote:
> Most of the patch, other than the volatiles, looks good; thanks for doing 
> this.
> 
> Can you explain exactly what it is you're trying to accomplish by
> making things volatile?  What kinds of failure modes are you expecting
> to protect against?  Glancing through the code, I can't really see
> that making things volatile will make much of a difference.

The point is to prevent the compiler from doing the memory reads
more than once (which it is permitted to do on non-volatiles). As
said in the submission comment, this could be done via barriers too,
but one of the two has to be there.

> Further comments inline below.
> 
> On Tue, Jun 29, 2010 at 4:37 PM, Jan Beulich <JBeulich@xxxxxxxxxx> wrote:
>> --- 2010-06-15.orig/xen/common/trace.c  2010-06-29 17:04:45.000000000 +0200
>> +++ 2010-06-15/xen/common/trace.c       2010-06-29 17:05:09.000000000 +0200
> [snip]
>> @@ -626,13 +649,11 @@ void __trace_var(u32 event, int cycles,
>>
>>     /* Read tb_init_done /before/ t_bufs. */
>>     rmb();
>> -
>> -    spin_lock_irqsave(&this_cpu(t_lock), flags);
>> -
>>     buf = this_cpu(t_bufs);
>> -
>>     if ( unlikely(!buf) )
>> -        goto unlock;
>> +        return;
>> +
>> +    spin_lock_irqsave(&this_cpu(t_lock), flags);
> 
> This isn't any good: the whole point of this lock is to keep t_bufs
> from disappearing under our feet.

Not really - the buffer can't disappear if we make it here, it can only
disappear when tb_init_done wasn't set yet. But if that's a major
concern, I can of course put the check back into the locked region.
And wait, I think in the end there's no change needed at all -
originally I thought going to the "unlock" label here is unsafe as
the code there would de-reference buf, but started_below_highwater
still being zero would prevent this.

So I'll submit another version in any case, after we settled on
whether using volatile qualifiers is acceptable here.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-devel] Re: [PATCH 5/6] trace: fix security issues, Jan Beulich <= [Xen-devel] Re: [PATCH 5/6] trace: fix security issues, George Dunlap [Xen-devel] Re: [PATCH 5/6] trace: fix security issues, Jan Beulich [Xen-devel] Re: [PATCH 5/6] trace: fix security issues, George Dunlap [Xen-devel] Re: [PATCH 5/6] trace: fix security issues, Jan Beulich

Previous by Date:	Re: [Xen-devel] [PATCH] x86: fix an off-by-one pirq range check, Jan Beulich
Next by Date:	[Xen-devel] Re: [PATCH 5/6] trace: fix security issues, George Dunlap
Previous by Thread:	Re: [Xen-devel] [PATCH] x86: fix an off-by-one pirq range check, Jan Beulich
Next by Thread:	[Xen-devel] Re: [PATCH 5/6] trace: fix security issues, George Dunlap
Indexes:	[Date] [Thread] [Top] [All Lists]