[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH V5 1/4] x86/mm: Add array_index_nospec to guest provided index values


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Alexandru Stefan ISAILA <aisaila@xxxxxxxxxxxxxxx>
  • Date: Fri, 20 Dec 2019 11:49:16 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VsQhaMEOmDsPpQP67JAwhzYKsyLIqMYyjBJmeNOgEz0=; b=eLEbTLK4nGskUSKeTeRv9iLWOMx7zpAl2bW0+T0/r9kEhXyM5Y8xkMgZL/ub3Mg+WUn4uM/lN9uCm8vOMUboH18M1or7h7QrVfI46jitIlqYIkY3PJTEHDsCFmmDFWp8zTsIDfWJK3EAqHPvQx5d2kPtjybMpwTk4fw1hyZgq5Q2k2G8wGUKU05Wdp0Vdt7tSZTUVCx4dA/Vl7fb3IwJ2HIOhxvd7JlRtKubuhhV7alLlQmtaIRYLGuHHpQ+/nTOCXX9mVZSHrsimVK7hWNDkOCco0IurqZ7RVpK1aFgWOl0tUj82dA2j5QjZIGpTsedf6UHuBsAptUPX9ZNcCbVDA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UUTrMrN6q6cxdkgSh4nV0YTgJsJw1Wdt0QcQwV6GmT9rYq1CT93TodGWMWkDYUXLY04TFo1B5n6O6wmh4dFKXanPFQdAyEvWWJRCjASurt9uOuAkFZ3J+xfQvIeZ9vZ5WeSsacyceFZPw8x2mN0e3Dmv3N7co+MxWY+ViTlCm7TepiNBC+IqDXRGY0sxOxlI1HRYeQhE0EFxWI6HuFtDTOj1fIMQEN72q/xQG2D/NONZmWWxFUNoMWjFVLnX0Nd6rBuSGcgNLAFd413dnsJTqWhJTPGYWDy6DirAQBuFrMfDaq8/U7V/NAA4XXyjEOlFKFPAmfpnaqytUnC3jJRYRQ==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@xxxxxxxxxxxxxxx;
  • Cc: Petre Ovidiu PIRCALABU <ppircalabu@xxxxxxxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Razvan COJOCARU <rcojocaru@xxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Fri, 20 Dec 2019 11:49:25 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVtlCv9fBx8h7blUeN6Fd8ih9YqafBRckAgAGZaoD//+b9AIAAJC8A
  • Thread-topic: [PATCH V5 1/4] x86/mm: Add array_index_nospec to guest provided index values


On 20.12.2019 11:39, Jan Beulich wrote:
> On 20.12.2019 10:09, Alexandru Stefan ISAILA wrote:
>>
>>
>> On 19.12.2019 12:43, Jan Beulich wrote:
>>> On 19.12.2019 10:42, Alexandru Stefan ISAILA wrote:
>>>> This patch aims to sanitize indexes, potentially guest provided
>>>> values, for altp2m_eptp[] and altp2m_p2m[] arrays.
>>>>
>>>> Requested-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>> Signed-off-by: Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>
>>>> ---
>>>> CC: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>
>>>> CC: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
>>>> CC: Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>
>>>> CC: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
>>>> CC: Jan Beulich <jbeulich@xxxxxxxx>
>>>> CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>>>> CC: Wei Liu <wl@xxxxxxx>
>>>> CC: "Roger Pau Monné" <roger.pau@xxxxxxxxxx>
>>>> CC: Jun Nakajima <jun.nakajima@xxxxxxxxx>
>>>> CC: Kevin Tian <kevin.tian@xxxxxxxxx>
>>>> ---
>>>> Changes since V4:
>>>>    - Change bounds check from MAX_EPTP to MAX_ALTP2M
>>>>    - Move array_index_nospec() closer to the bounds check.
>>>> ---
>>>>    xen/arch/x86/mm/mem_access.c | 15 +++++++++------
>>>>    xen/arch/x86/mm/p2m.c        | 20 ++++++++++++++------
>>>>    2 files changed, 23 insertions(+), 12 deletions(-)
>>>>
>>>> diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c
>>>> index 320b9fe621..33e379db8f 100644
>>>> --- a/xen/arch/x86/mm/mem_access.c
>>>> +++ b/xen/arch/x86/mm/mem_access.c
>>>> @@ -367,10 +367,11 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, 
>>>> uint32_t nr,
>>>>        if ( altp2m_idx )
>>>>        {
>>>>            if ( altp2m_idx >= MAX_ALTP2M ||
>>
>> Ok, so have if ( altp2m_idx >=  min(ARRAY_SIZE(d->arch.altp2m_eptp),
>> MAX_EPTP) ||
>> here and then...
>>
>>>> -             d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) )
>>>> +             d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, 
>>>> MAX_ALTP2M)] ==
>>
>> have MAX_EPTP here and ...
>>
>>>
>>> As implied by a reply to v4, this is still latently buggy: There's
>>> no guarantee anyone will notice the issue here when bumping
>>> MAX_ALTP2M past MAX_EPTP. The only future proof thing to do here
>>> is, as suggested, using some form of min(MAX_ALTP2M, MAX_EPTP) in
>>> the actual bounds check. Then each array access itself can be made
>>> use the correct bound. In fact you'd probably have noticed this if
>>> you had made use of array_access_nospec() where possible (which
>>> also would help readability) - apparently not here, but ... >
>>>> +             mfn_x(INVALID_MFN) )
>>>>                return -EINVAL;
>>>>    
>>>> -        ap2m = d->arch.altp2m_p2m[altp2m_idx];
>>>> +        ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, 
>>>> MAX_ALTP2M)];
>>
>> MAX_ALTP2M here ?
> 
> Yes, that's how I think it ought to be. Give others a chance to
> disagree with me, though.
> 

There is a slight problem with using (ARRAY_SIZE(..)) it will give 
"error: static assertion failed:" on  __must_be_array(x) because 
d->arch.altp2m_eptp is not static.

Alex
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.