Xen project Mailing List

Re: [PATCH] AMD/IOMMU: avoid UB in guest CR3 retrieval

To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 19 Nov 2020 16:12:09 +0000

Authentication-results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Paul Durrant <paul@xxxxxxx>

Delivery-date: Thu, 19 Nov 2020 16:20:01 +0000

Ironport-sdr: 3rYK65YTP0NsSE5KBh3xUx7YIq/BgJ0nNvC2qpmKuCSp/AcSivp9lSmK7f+HSzHZ7b3lpgChHM 6Qpb4DQOWPbqKEHO+nJppyS8gn7z5Ab/iF+J3bXRInaViOLNiI9l8wGgTeDySj5j9faa5Xvbzi bWjEDzqtf/TYV47jxtdr70Bdlh2hCm0bqq4FxaWK6F2FqtymZS65CT80ZGH3NYF0+ygxXgf//n ewMMSzqcfNa/e9/LJtF1HhX0MsVI8mmnYKdDzxTkIr6igVvRJ8koDUJqoXY6zDJgr69rMeNdQ7 9hs=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 19/11/2020 15:58, Jan Beulich wrote: > Found by looking for patterns similar to the one Julien did spot in > pci_vtd_quirks(). (Not that it matters much here, considering the code > is dead right now.) > > Fixes: 3a7947b69011 ("amd-iommu: use a bitfield for DTE") > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> There is *still* an outstanding regression (modulo dead code) in one of these bitfield-ifications which is off by 12, but I can't remember if it is this one or not. > > --- a/xen/drivers/passthrough/amd/iommu_guest.c > +++ b/xen/drivers/passthrough/amd/iommu_guest.c > @@ -70,7 +70,8 @@ static void guest_iommu_disable(struct g > > static uint64_t get_guest_cr3_from_dte(struct amd_iommu_dte *dte) > { > - return ((dte->gcr3_trp_51_31 << 31) | (dte->gcr3_trp_30_15 << 15) | > + return (((uint64_t)dte->gcr3_trp_51_31 << 31) | > + (dte->gcr3_trp_30_15 << 15) | > (dte->gcr3_trp_14_12 << 12)) >> PAGE_SHIFT; > } >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.