[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH V4 1/4] x86/mm: Add array_index_nospec to guest provided index values

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Alexandru Stefan ISAILA <aisaila@xxxxxxxxxxxxxxx>
  • Date: Wed, 18 Dec 2019 09:57:01 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L6t84KV1jwncq+yQuzUOQqv2Vrr/uQ7V1lILXfVmK40=; b=QQJxAqG9vrCquhnoZ1xOF/xhwBFtlnt5zWQMaq2UlShzefLANox6yn78xsenygp8eA8KNdW/TBfnTKGEZgwvtpjcv1Cd8l3NIAEkQJTq73TPcibLMCf5oSFqa/TpdabFYVYRlz1nf2is8cdexsO5vO1dJZD713+DklBwplS1umgwZA0krKphrvBg3RXD6vz/jA0YQ9h5IPkhGSjhVi7BunK9FM1nt31Xv907W6EMcdLthU9ne2Ugvo1CzjwU0lDKN1qBJYl6PO2ZWZu9J5ZgVerl51I38Wlfymf/9HOBkVy5tx7ds4QL6DP9WxKJDqit7bJP3tiQksWCMrJfkpngjA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HDRINPAVV8rG0jWpx+fQwmw0PXfKtmJz/lC3gUODI94980MyIpMshicvEpIAl0iXnxKTTaL0XbJkhLqyGNrqV5aU1ajOpQ/INJKllwTX5Wv/B2JS4bH6XWlSAQBD+jMu1BDGAAxeKJbNU8+xKk8z/DlFMbfDLdrRTN5pGCi75IGPL94KEO/AVLF7WoDV9Knacb+4bQS2+WG89CWYlsPQcg7aBWhF092NMx8lO7A+TQjy1rY4b8oRZsAQxh5rad6AKlM34oaybZTzs+m3wvr1a7iUq2jTKeM6MhiePBV471m0hkJ9W+sIbtcpcWgerYjoyoHJLQaL/KiUGqmG1UbJ/w==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@xxxxxxxxxxxxxxx;
  • Cc: Petre Ovidiu PIRCALABU <ppircalabu@xxxxxxxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Razvan COJOCARU <rcojocaru@xxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Wed, 18 Dec 2019 09:57:24 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVtOxhsG39wuvEP0STO9uvU+j0gae+ikOAgAEhbAD///1ygA==
  • Thread-topic: [Xen-devel] [PATCH V4 1/4] x86/mm: Add array_index_nospec to guest provided index values

On 18.12.2019 10:06, Alexandru Stefan ISAILA wrote:
> 
> 
> On 17.12.2019 18:50, Jan Beulich wrote:
>> On 17.12.2019 16:12, Alexandru Stefan ISAILA wrote:
>>> --- a/xen/arch/x86/mm/mem_access.c
>>> +++ b/xen/arch/x86/mm/mem_access.c
>>> @@ -367,10 +367,11 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, 
>>> uint32_t nr,
>>>        if ( altp2m_idx )
>>>        {
>>>            if ( altp2m_idx >= MAX_ALTP2M ||
>>> -             d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) )
>>> +             d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] 
>>> ==
>>
>> The bounds check is against MAX_ALTP2M. Both MAX_ values look to be
>> independent, which means bounds check and value passed to the
>> helper need to match up (not just here).
> 
> I will have both checks against MAX_ALTP2M.
> 
>>
>>> --- a/xen/arch/x86/mm/p2m-ept.c
>>> +++ b/xen/arch/x86/mm/p2m-ept.c
>>> @@ -1353,7 +1353,8 @@ void setup_ept_dump(void)
>>>    
>>>    void p2m_init_altp2m_ept(struct domain *d, unsigned int i)
>>>    {
>>> -    struct p2m_domain *p2m = d->arch.altp2m_p2m[i];
>>> +    struct p2m_domain *p2m =
>>> +           d->arch.altp2m_p2m[array_index_nospec(i, MAX_ALTP2M)];
>>>        struct p2m_domain *hostp2m = p2m_get_hostp2m(d);
>>>        struct ept_data *ept;
>>>    
>>> @@ -1366,7 +1367,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned 
>>> int i)
>>>        p2m->max_mapped_pfn = p2m->max_remapped_gfn = 0;
>>>        ept = &p2m->ept;
>>>        ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m));
>>> -    d->arch.altp2m_eptp[i] = ept->eptp;
>>> +    d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
>>>    }
>>>    
>>>    unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp)
>>> --- a/xen/arch/x86/mm/p2m.c
>>> +++ b/xen/arch/x86/mm/p2m.c
>>> @@ -2499,7 +2499,7 @@ static void p2m_reset_altp2m(struct domain *d, 
>>> unsigned int idx,
>>>        struct p2m_domain *p2m;
>>>    
>>>        ASSERT(idx < MAX_ALTP2M);
>>> -    p2m = d->arch.altp2m_p2m[idx];
>>> +    p2m = d->arch.altp2m_p2m[array_index_nospec(idx, MAX_ALTP2M)];
>>>    
>>>        p2m_lock(p2m);
>>>    
>>> @@ -2540,7 +2540,7 @@ static int p2m_activate_altp2m(struct domain *d, 
>>> unsigned int idx)
>>>    
>>>        ASSERT(idx < MAX_ALTP2M);
>>>    
>>> -    p2m = d->arch.altp2m_p2m[idx];
>>> +    p2m = d->arch.altp2m_p2m[array_index_nospec(idx, MAX_ALTP2M)];
>>
>> All of the above have a more or less significant disconnect between
>> the bounds check and the use as array index. I think it would be
>> quite helpful if these could live close to one another, so one can
>> (see further up) easily prove that both specified bounds actually
>> match up.
>>
> 
> Sure, I can move the array use closer together.
> 

Sorry to come back on this but I was looking in the code and I am not 
sure I follow where is the disconnect. If you are talking about 
p2m_init_altp2m_ept() the eptp code will move up in patch 3/4.

Can you please clarify?

Thanks,
Alex
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.