[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH V6 1/4] x86/mm: Add array_index_nospec to guest provided index values


  • To: George Dunlap <george.dunlap@xxxxxxxxxx>
  • From: Jan Beulich <JBeulich@xxxxxxxx>
  • Date: Fri, 27 Dec 2019 07:52:59 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UJhK7118H9hvsr7HS5/4d6+JU56yDwtNOifgEE5SYcI=; b=KJgwyu/QbQOciUO5JxzbKZXrBYPObUJev82Bbbn3x/VOvlXHMvYLaezSDmF/AXJVAJH/9dAkylIsy8KgtSwsPBO5qT9diSmzhO6NI3JM53kjV438ghud2Il6kT/Kdc43zZCoQ0vmYe2Xb9PpNnj0YsAb8/+YeLsEIf7/qrFdiocyINxi3hxp7AMIzDHWlt0VwORdnI5547WQljDWhaefcG2aS6S+e6Sh58VlXGg0QunxOw1p+Dz0e4wzOOChV49PV/NqenYcWCYMvy8/RdHSbMxPMANcvlynvvdgoKjZolGokA5gjZ8pvTQ2pxc+DXlhpur3Ubyrir5792zYrTctFw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HIyxPY7DOlyKi19GX/ZY28iXjdXsrV5th6gULXrlPLWEFFBuk1BL5IcTMCCNf2V7932A3LgvF8Vq+bliL8oKDGwdQFLwAKMdH9LW1UfdC6qjRMEvL4ybRYc8hELkjYqYgcssT8ivFpjUsbT0HTQdM9bLgptrOT23JG6gCww9aMhOTNZ1bOKZ5B/9bAkzh5PBwObpLI2eopuTyFE2QGKS0DPrgRUES0o5vwZj2iEFbnVpxEylfXPoGNza932V9WiOz4b4IZ3bNS2hmKT4fyrR6li9k2h0OrO/PBFq6kBdxi42hc6Gmy0ub56oqfpQfMtN5EOxeYONGwAqDsT56ajQgw==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=JBeulich@xxxxxxxx;
  • Cc: Petre Ovidiu PIRCALABU <ppircalabu@xxxxxxxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Razvan COJOCARU <rcojocaru@xxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Alexandru Stefan ISAILA <aisaila@xxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Fri, 27 Dec 2019 07:55:18 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVuZnmK7OgfjFiuE29BC4XwHoq4afIBKEAgAWdmQA=
  • Thread-topic: [PATCH V6 1/4] x86/mm: Add array_index_nospec to guest provided index values

On 23.12.2019 19:08, George Dunlap wrote:
> On 12/23/19 2:04 PM, Alexandru Stefan ISAILA wrote:
>> This patch aims to sanitize indexes, potentially guest provided
>> values, for altp2m_eptp[] and altp2m_p2m[] arrays.
>>
>> Requested-by: Jan Beulich <jbeulich@xxxxxxxx>
>> Signed-off-by: Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>
>> ---
>> CC: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>
>> CC: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>
>> CC: Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>
>> CC: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
>> CC: Jan Beulich <jbeulich@xxxxxxxx>
>> CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>> CC: Wei Liu <wl@xxxxxxx>
>> CC: "Roger Pau Monné" <roger.pau@xxxxxxxxxx>
>> CC: Jun Nakajima <jun.nakajima@xxxxxxxxx>
>> CC: Kevin Tian <kevin.tian@xxxxxxxxx>
>> ---
>> Changes since V5:
>>      - Add black lines
>>      - Check altp2m_idx against min(ARRAY_SIZE(d->arch.altp2m_p2m),
>> MAX_EPTP).
>> ---
>>  xen/arch/x86/mm/mem_access.c | 21 ++++++++++++---------
>>  xen/arch/x86/mm/p2m.c        | 26 ++++++++++++++++++--------
>>  2 files changed, 30 insertions(+), 17 deletions(-)
>>
>> diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c
>> index 320b9fe621..a95a50bcae 100644
>> --- a/xen/arch/x86/mm/mem_access.c
>> +++ b/xen/arch/x86/mm/mem_access.c
>> @@ -366,11 +366,12 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, 
>> uint32_t nr,
>>  #ifdef CONFIG_HVM
>>      if ( altp2m_idx )
>>      {
>> -        if ( altp2m_idx >= MAX_ALTP2M ||
>> -             d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) )
>> +        if ( altp2m_idx >=  min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ||
>> +             d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] 
>> ==
>> +             mfn_x(INVALID_MFN) )
>>              return -EINVAL;
> 
> I realize Jan asked for something like this, and I'm sorry I didn't have
> time to bring it up then, but this seems really silly.  If we're worried
> about this, wouldn't it be better to have a BUILD_BUG_ON(MAX_ALTP2M >
> MAX_EPTP)?

I wouldn't mind this BUILD_BUG_ON() approach as an alternative,
but imo one such instance would then need attaching to every
site.

> Also, this bit where we check the array value and then re-mask the index
> later seems really redundant;

But that's the idea behind the *_nospec() additions: They are to
guard against speculation, i.e. both the bounds check and the
masking of the index have their (distinct) reason.

Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.