[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Tue, 9 Feb 2021 16:27:36 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=75TnBMT0TZ+oFnnZVxQ94PIkDAM1wT+CN9/UN1di+dk=; b=aEkfJFqK+oodA5vb5Lbr8kngTZE7pmdvXYFwxkZuM0lCUtzSm6xb0CdXaAGjreG0O7ezDdct/D9dRTjHunIHOs51hXSgNMTmS2fS6VFU5ylikVvjXJhPWrqL2O1XlSn2fUhmRO02B9F9XZT+/RwwCpGc2DA2jysZXZkKuT9FN+6DMRBBVJVvEHtsJKcNytteJsx1iREPzds3IDuqrYuykHvCbXa4KhanQ2lqSLsgBNPXLgBndUTm3dAaiTOJVgWMTXgIPvJXDcyuKupOrgUes5HTaSvHT/v31BrW5MGx6z8+N4FMt7QhdhykxOI05wHYuV8/KF7VAjKOo7koDcIy7A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Lyudzkh3MvF5iNBPNF+9E8EkcYgg3WoE75Ps7PuPcyPmE+s3UFuDMvmMAZ9RpTLkXLrY4Ty8TOFaCPNf2mPOMn7koFlHNDGKcuy5xdaM1xAb4JxhN/uV+C1dhiRZ5fIBxiXAh+i8Tk8Q1qOHq4hJJqXhJEzjLqH0pdeBsV/lTWkEFQwWgQMOkQ1ojmbnE4EvRlPCQ+jPI2NcDEa10tpglJ3Qw43eIhAnMss/gdLkbtbAsc4Ajkt6VjCWzz8ky92HFN54PSsolPhovva+CJshFuX3JodpRponMxGAU1vf422vnsfETTUSyWhQKq09AlNeYTIlak1jvM7liJdv41W5SQ==
  • Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>
  • Delivery-date: Tue, 09 Feb 2021 15:27:52 +0000
  • Ironport-sdr: AhVPYfQI43N4hv/yeooexhfuycttd28VvyHBqCFz+HA1QtXS08EPntvQJxcPOLZjBAxrhbu17L NHsivAOAZ53R9nffaJ+LPRttLZ1YMbQS3O5A0B6KBfTUZszGy70nSGbhodIYKuipIAVENS6xwJ 8mDfMXfVYPI3ccy5jNiqjv+0BhaYc0Wg37/4SDSEmfHkDJRpOwFzzamyDMIQ6ZD3KM0xQm2vO9 w84OG7vJLtOajF9h3whxYg+aZEjmAEl9FDiZvU3MycY5BJqoH/yh5vsPCRjcFpY58kTWZGqXKy LPU=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Tue, Feb 09, 2021 at 04:14:41PM +0100, Jan Beulich wrote:
> On 09.02.2021 15:55, Roger Pau Monné wrote:
> > On Thu, Jan 14, 2021 at 04:04:11PM +0100, Jan Beulich wrote:
> >> The "guest" variants are intended to work with (potentially) fully guest
> >> controlled addresses, while the "unsafe" variants are not. (For
> >> descriptor table accesses the low bits of the addresses may still be
> >> guest controlled, but this still won't allow speculation to "escape"
> >> into unwanted areas.)
> > 
> > Descriptor table is also in guest address space, and hence would be
> > fine using the _guest accessors? (even if not in guest control and
> > thus unsuitable as an speculation vector)
> 
> No, we don't access descriptor tables in guest space, I don't
> think. See read_gate_descriptor() for an example. After all PV
> guests don't even have the full concept of self-managed (in
> their VA space) descriptor tables (GDT gets specified in terms
> of frames, while LDT gets specified in terms of (VA,size)
> tuples, but just for Xen to read the underlying page table
> entries upon 1st access).

I see, read_gate_descriptor uses gdt_ldt_desc_ptr which points into
the per-domain Xen virt space, so it's indeed an address in Xen
address space. I realize it doesn't make sense for the descriptor
table to be in guest address space, as it's not fully under guest
control.

> >> --- a/xen/arch/x86/traps.c
> >> +++ b/xen/arch/x86/traps.c
> >> @@ -274,7 +274,7 @@ static void compat_show_guest_stack(stru
> >>      {
> >>          if ( (((long)stack - 1) ^ ((long)(stack + 1) - 1)) & mask )
> >>              break;
> >> -        if ( __get_user(addr, stack) )
> >> +        if ( get_unsafe(addr, stack) )
> >>          {
> >>              if ( i != 0 )
> >>                  printk("\n    ");
> >> @@ -343,7 +343,7 @@ static void show_guest_stack(struct vcpu
> >>      {
> >>          if ( (((long)stack - 1) ^ ((long)(stack + 1) - 1)) & mask )
> >>              break;
> >> -        if ( __get_user(addr, stack) )
> >> +        if ( get_unsafe(addr, stack) )
> > 
> > Shouldn't accessing the guest stack use the _guest accessors?
> 
> Hmm, yes indeed.
> 
> > Or has this address been verified by Xen and not in idrect control of
> > the guest, and thus can't be used for speculation purposes?
> > 
> > I feel like this should be using the _guest accessors anyway, as the
> > guest stack is an address in guest space?
> 
> I think this being a debugging function only, not directly
> accessible by guests, is what made me think speculation is
> not an issue here and hence the "unsafe" variants are fine
> to use (they're slightly cheaper after all, once the
> subsequent changes are in place). But I guess I will better
> switch these two around.

With that:

Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.