|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH L1TF MDS GT v1 2/3] common/grant_table: harden bound accesses
Guests can issue grant table operations and provide guest controlled
data to them. This data is used as index for memory loads after bound
checks have been done. To avoid speculative out-of-bound accesses, we
use the array_index_nospec macro where applicable, or the macro
block_speculation. Note, that the block_speculation is always used in
the calls to shared_entry_header and nr_grant_entries, so that no
additional protection is required once these functions have been
called.
Speculative execution is not blocked in case one of the following
properties is true:
- path cannot be triggered by the guest
- path does not return to the guest
- path does not result in an out-of-bound access
- path cannot be executed repeatedly
Only the combination of the above properties allows to actually leak
continuous chunks of memory. Therefore, we only add the penalty of
protective mechanisms in case a potential speculative out-of-bound
access matches all the above properties.
This commit addresses only out-of-bound accesses whose index is
directly controlled by the guest, and the index is checked before.
Potential out-of-bound accesses that are caused by speculatively
evaluating the version of the current table are not addressed in this
commit.
This is part of the speculative hardening effort.
Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx>
---
Notes:
v1: adapt the comments for shared_entry_header to show that they 'also'
block speculative execution
xen/common/grant_table.c | 43 ++++++++++++++++++++++++++++++++++---------
1 file changed, 34 insertions(+), 9 deletions(-)
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -988,9 +988,10 @@ map_grant_ref(
PIN_FAIL(unlock_out, GNTST_bad_gntref, "Bad ref %#x for d%d\n",
op->ref, rgt->domain->domain_id);
- act = active_entry_acquire(rgt, op->ref);
+ /* This call also ensures the above check cannot be passed speculatively */
shah = shared_entry_header(rgt, op->ref);
status = rgt->gt_version == 1 ? &shah->flags : &status_entry(rgt, op->ref);
+ act = active_entry_acquire(rgt, op->ref);
/* If already pinned, check the active domid and avoid refcnt overflow. */
if ( act->pin &&
@@ -1346,6 +1347,9 @@ unmap_common(
goto unlock_out;
}
+ /* Make sure the above bound check cannot be bypassed speculatively */
+ block_speculation();
+
act = active_entry_acquire(rgt, op->ref);
/*
@@ -1443,7 +1447,7 @@ unmap_common_complete(struct gnttab_unmap_common *op)
struct page_info *pg;
uint16_t *status;
- if ( !op->done )
+ if ( evaluate_nospec(!op->done) )
{
/* unmap_common() didn't do anything - nothing to complete. */
return;
@@ -2051,6 +2055,7 @@ gnttab_prepare_for_transfer(
goto fail;
}
+ /* This call also ensures the above check cannot be passed speculatively */
sha = shared_entry_header(rgt, ref);
scombo.word = *(u32 *)&sha->flags;
@@ -2248,7 +2253,12 @@ gnttab_transfer(
spin_unlock(&e->page_alloc_lock);
okay = gnttab_prepare_for_transfer(e, d, gop.ref);
- if ( unlikely(!okay || assign_pages(e, page, 0, MEMF_no_refcount)) )
+ /*
+ * Make sure the reference bound check in gnttab_prepare_for_transfer
+ * is respected and speculative execution is blocked accordingly
+ */
+ if ( unlikely(!evaluate_nospec(okay)) ||
+ unlikely(assign_pages(e, page, 0, MEMF_no_refcount)) )
{
bool drop_dom_ref;
@@ -2435,8 +2445,10 @@ acquire_grant_for_copy(
PIN_FAIL(gt_unlock_out, GNTST_bad_gntref,
"Bad grant reference %#x\n", gref);
- act = active_entry_acquire(rgt, gref);
+ /* This call also ensures the above check cannot be passed speculatively */
shah = shared_entry_header(rgt, gref);
+ act = active_entry_acquire(rgt, gref);
+
if ( rgt->gt_version == 1 )
{
sha2 = NULL;
@@ -2853,6 +2865,9 @@ static int gnttab_copy_buf(const struct gnttab_copy *op,
op->dest.offset, dest->ptr.offset,
op->len, dest->len);
+ /* Make sure the above checks are not bypassed speculatively */
+ block_speculation();
+
memcpy(dest->virt + op->dest.offset, src->virt + op->source.offset,
op->len);
gnttab_mark_dirty(dest->domain, dest->mfn);
@@ -2972,7 +2987,7 @@
gnttab_set_version(XEN_GUEST_HANDLE_PARAM(gnttab_set_version_t) uop)
struct grant_table *gt = currd->grant_table;
grant_entry_v1_t reserved_entries[GNTTAB_NR_RESERVED_ENTRIES];
int res;
- unsigned int i;
+ unsigned int i, nr_ents;
if ( copy_from_guest(&op, uop, 1) )
return -EFAULT;
@@ -2996,7 +3011,8 @@
gnttab_set_version(XEN_GUEST_HANDLE_PARAM(gnttab_set_version_t) uop)
* are allowed to be in use (xenstore/xenconsole keeps them mapped).
* (You need to change the version number for e.g. kexec.)
*/
- for ( i = GNTTAB_NR_RESERVED_ENTRIES; i < nr_grant_entries(gt); i++ )
+ nr_ents = nr_grant_entries(gt);
+ for ( i = GNTTAB_NR_RESERVED_ENTRIES; i < nr_ents; i++ )
{
if ( read_atomic(&_active_entry(gt, i).pin) != 0 )
{
@@ -3238,6 +3254,9 @@ swap_grant_ref(grant_ref_t ref_a, grant_ref_t ref_b)
if ( unlikely(ref_b >= nr_grant_entries(d->grant_table)))
PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-b %#x\n", ref_b);
+ /* Make sure the above checks are not bypassed speculatively */
+ block_speculation();
+
/* Swapping the same ref is a no-op. */
if ( ref_a == ref_b )
goto out;
@@ -3707,13 +3726,14 @@ void grant_table_warn_active_grants(struct domain *d)
struct grant_table *gt = d->grant_table;
struct active_grant_entry *act;
grant_ref_t ref;
- unsigned int nr_active = 0;
+ unsigned int nr_active = 0, nr_ents;
#define WARN_GRANT_MAX 10
grant_read_lock(gt);
- for ( ref = 0; ref != nr_grant_entries(gt); ref++ )
+ nr_ents = nr_grant_entries(gt);
+ for ( ref = 0; ref != nr_ents; ref++ )
{
act = active_entry_acquire(gt, ref);
if ( !act->pin )
@@ -3863,6 +3883,9 @@ static int gnttab_get_status_frame_mfn(struct domain *d,
return -EINVAL;
}
+ /* Make sure idx is bounded wrt nr_status_frames */
+ block_speculation();
+
*mfn = _mfn(virt_to_mfn(gt->status[idx]));
return 0;
}
@@ -3962,6 +3985,7 @@ static void gnttab_usage_print(struct domain *rd)
int first = 1;
grant_ref_t ref;
struct grant_table *gt = rd->grant_table;
+ unsigned int nr_ents;
printk(" -------- active -------- -------- shared --------\n");
printk("[ref] localdom mfn pin localdom gmfn flags\n");
@@ -3974,7 +3998,8 @@ static void gnttab_usage_print(struct domain *rd)
nr_grant_frames(gt), gt->max_grant_frames,
nr_maptrack_frames(gt), gt->max_maptrack_frames);
- for ( ref = 0; ref != nr_grant_entries(gt); ref++ )
+ nr_ents = nr_grant_entries(gt);
+ for ( ref = 0; ref != nr_ents; ref++ )
{
struct active_grant_entry *act;
struct grant_entry_header *sha;
--
2.7.4
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich
Ust-ID: DE 289 237 879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |