Xen project Mailing List

Re: [PATCH 04/17] x86/PV: harden guest memory accesses against speculative abuse

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Wed, 10 Feb 2021 17:55:52 +0100

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>

Delivery-date: Wed, 10 Feb 2021 16:56:01 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 09.02.2021 17:26, Roger Pau Monné wrote: > On Thu, Jan 14, 2021 at 04:04:57PM +0100, Jan Beulich wrote: >> --- a/xen/arch/x86/usercopy.c >> +++ b/xen/arch/x86/usercopy.c >> @@ -10,12 +10,19 @@ >> #include <xen/sched.h> >> #include <asm/uaccess.h> >> >> -unsigned __copy_to_user_ll(void __user *to, const void *from, unsigned n) >> +#ifndef GUARD >> +# define GUARD UA_KEEP >> +#endif >> + >> +unsigned int copy_to_guest_ll(void __user *to, const void *from, unsigned >> int n) >> { >> unsigned dummy; >> >> stac(); >> asm volatile ( >> + GUARD( >> + " guest_access_mask_ptr %[to], %q[scratch1], %q[scratch2]\n" > > Don't you need to also take 'n' into account here to assert that the > address doesn't end in hypervisor address space? Or that's fine as > speculation wouldn't go that far? Like elsewhere this leverages that the hypervisor VA range starts immediately after the non-canonical hole. I'm unaware of speculation being able to cross over that hole. > I also wonder why this needs to be done in assembly, could you check > the address(es) using C? For this to be efficient (in avoiding speculation) the insn sequence would better not have any conditional jumps. I don't think the compiler can be told so. >> --- a/xen/include/asm-x86/uaccess.h >> +++ b/xen/include/asm-x86/uaccess.h >> @@ -13,13 +13,19 @@ >> unsigned copy_to_user(void *to, const void *from, unsigned len); >> unsigned clear_user(void *to, unsigned len); >> unsigned copy_from_user(void *to, const void *from, unsigned len); >> + >> /* Handles exceptions in both to and from, but doesn't do access_ok */ >> -unsigned __copy_to_user_ll(void __user*to, const void *from, unsigned n); >> -unsigned __copy_from_user_ll(void *to, const void __user *from, unsigned n); >> +unsigned int copy_to_guest_ll(void __user*to, const void *from, unsigned >> int n); >> +unsigned int copy_from_guest_ll(void *to, const void __user *from, unsigned >> int n); >> +unsigned int copy_to_unsafe_ll(void *to, const void *from, unsigned int n); >> +unsigned int copy_from_unsafe_ll(void *to, const void *from, unsigned int >> n); >> >> extern long __get_user_bad(void); >> extern void __put_user_bad(void); >> >> +#define UA_KEEP(args...) args >> +#define UA_DROP(args...) > > I assume UA means user access, and since you have dropped other uses > of user and changed to guest instead I wonder if we should name this > just A_{KEEP/DROP}. Like in the name of the file I mean to see 'u' stand for "unsafe" going forward. (A single letter name prefix would also seem more prone to future collisions to me.) Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.