[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH SpectreV1+L1TF v4 10/11] x86/hvm/hpet: block speculative out-of-bound accesses

To: <nmanthey@xxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Fri, 25 Jan 2019 09:50:10 -0700
Cc: Tim Deegan <tim@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxxxx>, "Martin Mazein\(amazein\)" <amazein@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Julian Stecklina <jsteckli@xxxxxxxxx>, Bjoern Doebel <doebel@xxxxxxxxx>
Delivery-date: Fri, 25 Jan 2019 16:50:25 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 23.01.19 at 12:57, <nmanthey@xxxxxxxxx> wrote:
> When interacting with hpet, read and write operations can be executed
> during instruction emulation, where the guest controls the data that
> is used. As it is hard to predict the number of instructions that are
> executed speculatively, we prevent out-of-bound accesses by using the
> array_index_nospec function for guest specified addresses that should
> be used for hpet operations.
> 
> This commit is part of the SpectreV1+L1TF mitigation patch series.
> 
> Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx>

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
with one further remark:

> @@ -523,7 +526,7 @@ static int hpet_write(
>      case HPET_Tn_ROUTE(0):
>      case HPET_Tn_ROUTE(1):
>      case HPET_Tn_ROUTE(2):
> -        tn = HPET_TN(ROUTE, addr);
> +        tn = array_index_nospec(HPET_TN(ROUTE, addr), 
> ARRAY_SIZE(h->hpet.timers));
>          h->hpet.timers[tn].fsb = new_val;
>          break;

This one, unlike the other two in this function, would be a fair
candidate for use of array_access_nospec() - tn is used just
once here.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] SpectreV1+L1TF Patch Series
  - From: Norbert Manthey
- [Xen-devel] [PATCH SpectreV1+L1TF v4 10/11] x86/hvm/hpet: block speculative out-of-bound accesses
  - From: Norbert Manthey

Prev by Date: Re: [Xen-devel] [PATCH-for-4.12] docs: Fix dm_restrict documentation
Next by Date: Re: [Xen-devel] [PATCH-for-4.12] docs: Fix dm_restrict documentation
Previous by thread: [Xen-devel] [PATCH SpectreV1+L1TF v4 10/11] x86/hvm/hpet: block speculative out-of-bound accesses
Next by thread: [Xen-devel] [PATCH SpectreV1+L1TF v4 11/11] x86/CPUID: block speculative out-of-bound accesses
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.