|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PULL 1/2] xen/blkif: avoid double access to any shared ring request fields
From: Jan Beulich <JBeulich@xxxxxxxx>
Commit f9e98e5d7a ("xen/blkif: Avoid double access to
src->nr_segments") didn't go far enough: src->operation is also being
used twice. And nothing was done to prevent the compiler from using the
source side of the copy done by blk_get_request() (granted that's very
unlikely).
Move the barrier()s up, and add another one to blk_get_request().
Note that for completing XSA-155, the barrier() getting added to
blk_get_request() would suffice, and hence the changes to xen_blkif.h
are more like just cleanup. And since, as said, the unpatched code
getting compiled to something vulnerable is very unlikely (and not
observed in practice), this isn't being viewed as a new security issue.
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
Signed-off-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
---
hw/block/xen_blkif.h | 12 ++++++------
hw/block/xen_disk.c | 2 ++
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h
index c68487cb..e3b133b 100644
--- a/hw/block/xen_blkif.h
+++ b/hw/block/xen_blkif.h
@@ -79,14 +79,14 @@ static inline void blkif_get_x86_32_req(blkif_request_t
*dst, blkif_x86_32_reque
dst->handle = src->handle;
dst->id = src->id;
dst->sector_number = src->sector_number;
- if (src->operation == BLKIF_OP_DISCARD) {
+ /* Prevent the compiler from using src->... instead. */
+ barrier();
+ if (dst->operation == BLKIF_OP_DISCARD) {
struct blkif_request_discard *s = (void *)src;
struct blkif_request_discard *d = (void *)dst;
d->nr_sectors = s->nr_sectors;
return;
}
- /* prevent the compiler from optimizing the code and using
src->nr_segments instead */
- barrier();
if (n > dst->nr_segments)
n = dst->nr_segments;
for (i = 0; i < n; i++)
@@ -102,14 +102,14 @@ static inline void blkif_get_x86_64_req(blkif_request_t
*dst, blkif_x86_64_reque
dst->handle = src->handle;
dst->id = src->id;
dst->sector_number = src->sector_number;
- if (src->operation == BLKIF_OP_DISCARD) {
+ /* Prevent the compiler from using src->... instead. */
+ barrier();
+ if (dst->operation == BLKIF_OP_DISCARD) {
struct blkif_request_discard *s = (void *)src;
struct blkif_request_discard *d = (void *)dst;
d->nr_sectors = s->nr_sectors;
return;
}
- /* prevent the compiler from optimizing the code and using
src->nr_segments instead */
- barrier();
if (n > dst->nr_segments)
n = dst->nr_segments;
for (i = 0; i < n; i++)
diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index 064c116..cf57814 100644
--- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c
@@ -679,6 +679,8 @@ static int blk_get_request(struct XenBlkDev *blkdev, struct
ioreq *ioreq, RING_I
RING_GET_REQUEST(&blkdev->rings.x86_64_part, rc));
break;
}
+ /* Prevent the compiler from accessing the on-ring fields instead. */
+ barrier();
return 0;
}
--
1.9.1
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |