WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] Re: [PATCH 5/6] trace: fix security issues

from [George Dunlap] [Permanent Link][Original]
To: Jan Beulich <JBeulich@xxxxxxxxxx>
Subject: [Xen-devel] Re: [PATCH 5/6] trace: fix security issues
From: George Dunlap <dunlapg@xxxxxxxxx>
Date: Thu, 1 Jul 2010 09:32:33 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 01 Jul 2010 01:33:36 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=vbgrz9vsoCb3fF+DBM4NcD74HCBiZ/dMrhal36s34pg=; b=V5Ako9mFwXHNUZP5vocmh/Jqmg7GhH1sKBMY6su8cQLYjEwu3oLpEFz1eoKMIklNSY cuPKxijxG8XDMYPXcSmT/fulgwWFrOxe7P0tZo4frCZiv/ZiBlHBtUrYG6zz77ayyOM3 4NHJDYNxsKOnAo2v4GaeT5EB5hMPtTiApzipc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=GLkGxeODWMVcuF+pp1aHuvQMJ3iMZHpmcEAhiRlGE45VrUCI+0uWtDtrLlqFU2x6Nf 8wAguLW8GLedHg7BtpnLb3L7uy92tJhft8Tg67753VwbNzRKjNVLz0mH31RoqlN9CKyp KlRH+s9NREOEHfuroCP7XeUEwNFReHEEOlczQ=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4C2C68250200007800009030@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4C2A2F710200007800008A90@xxxxxxxxxxxxxxxxxx> <AANLkTikdGxPR1c7RIfRdZQEcqfsiWSe2waMjOlbVsbli@xxxxxxxxxxxxxx> <4C2C68250200007800009030@xxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx 
On Thu, Jul 1, 2010 at 9:04 AM, Jan Beulich <JBeulich@xxxxxxxxxx> wrote:
> The point is to prevent the compiler from doing the memory reads
> more than once (which it is permitted to do on non-volatiles). As
> said in the submission comment, this could be done via barriers too,
> but one of the two has to be there.

I understand what the volatile modifier is supposed to do. :-)
(Although I think you've got it backwards -- it forces the compiler to
do memory reads every time, instead of doing them only once and
caching them in a register.)  My question is, why do you think the
volatile modifier is necessary?  What kinds of situations are you
trying to protect against?  What terrible havoc can a broken / rogue
xentrace binary wreak upon the hypervisor if we don't have the
volatiles in?

Moreover, the purpose of volatile is slightly different than memory
barriers.  AFAICT from the rather sparse documentation, "volatile"
doesn't prevent a compiler from re-ordering memory accesses that it
deems independent.  That's what the memory barriers are for.

At least one specific example where volatile helps would be appreciated.

> Not really - the buffer can't disappear if we make it here, it can only
> disappear when tb_init_done wasn't set yet. But if that's a major
> concern, I can of course put the check back into the locked region.

Hmm -- that happens to be the case now, but it's not guaranteed to be
that way forever, and this is essentially a "trap" laid for anyone who
changes that invariant.  At some point I would like to implement
re-sizable trace buffers, in which case the buffer may disappear after
tb_init_done is set. I'd rather not rely on my memory of this
discussion. :-)

> And wait, I think in the end there's no change needed at all -
> originally I thought going to the "unlock" label here is unsafe as
> the code there would de-reference buf, but started_below_highwater
> still being zero would prevent this.

Yes, that's in part what setting that was for.  I'll add a comment to
that effect.

> So I'll submit another version in any case, after we settled on
> whether using volatile qualifiers is acceptable here.

I've already got things in a nice patchqueue, including my modified
patches -- I'll just pull out the volatile code, make the simple
changes we've discussed, and post the patch queue.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] Re: [PATCH 5/6] trace: fix security issues, Jan Beulich
Next by Date:  [Xen-devel] Re: [PATCH 5/6] trace: fix security issues, Jan Beulich
Previous by Thread:  [Xen-devel] Re: [PATCH 5/6] trace: fix security issues, Jan Beulich
Next by Thread:  [Xen-devel] Re: [PATCH 5/6] trace: fix security issues, Jan Beulich
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy