[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH][4.15] x86: mirror compat argument translation area for 32-bit PV


  • To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Mon, 22 Feb 2021 14:14:43 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=m00Gap14DRqIJ0WKC6WtlbHhK11veJDP5sWPZ6s8I6Y=; b=NZvtaMpBWo8RJGYVCozl9311mPWs917kDzW/Fi9GV+u8gvtD0E0IQMtdXjNLujqye/8RPlPSeietGRQFLcxV2jhhwCCyhjv59tytNO1tlFLQECQdqH3PVunFV9zwKuOaJd6QRciQvx0cPmov8NXsORRrPSOeVL+NWV6fuDIvxTttAp6fB59vVw45N/agbqEV7o1FZ/6BGdg4gvRuoxWmILgZdvNeVN3Af1muYhxLwUUK0Z+Ew0npgVD8P+V/Q8rApBjgaKnqtQoULm030i9XiMEOywp1bb5eO+5ldKl3hQCx/FMO1877Mto65N7c8D8EEyazrT59HO5kCdNnfF7Y8g==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fofRHSN6xY9+vnXfb7VV74xAT31ESyxgxy+F8bHKXQKHvWaNWgjn5FD259U0mrtFpvs2AnZ0q/+hRBmTUXoCZexGS11dNlLq0sQ6siY5/rO0H1vycQUSQnrfIjPyxzrVulMeZARG+KC/03qO0Bq0wl/HBtvsU+vZz28pDNPqsmRYbUFokwWqVZ4H7cFYrpmC02OQFPQCA0au2NiBVxhhZMaoT0WQ22TCuSQ0Poez6uuUVAAZ6cHPmgI5O/ejRm1E4pcu5A0diFpHfAm4Kjm3CIG2ZiyQ+OZOVvxrTVoc07WrD0PxNiVZpDnhbGeTRYfaG42UkQcCuOb79oFRVqfjsQ==
  • Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>
  • Delivery-date: Mon, 22 Feb 2021 14:14:58 +0000
  • Ironport-sdr: C/0ZGe2hfj7XGcu+wLznZlBOB2NKuHixLOUaaGQdeDBEL+H6HjTWMTVdffmO9EHuZ8hrp156CM WN00SbnDbGPnoKK8+zcPp9ERHijvAsvRVo5LaEM99NbBsY52nzvwSOygvQCujDMAf7VoVmj2UX WprtAf7tuoLcdegjFB0ZbguAfozzmuoBnvtXdv/4BIKo8orxcYfT2dPClKaLIlyyy07A0IcLIc zHGP+UBMkxLzZTFp6X3FyBKPiCI4QhjmLyJSu29/MS6s73gC+7GmwPKEcaTZRgD7YFtH7NtEmA WCA=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 22/02/2021 10:27, Jan Beulich wrote:
> Now that we guard the entire Xen VA space against speculative abuse
> through hypervisor accesses to guest memory, the argument translation
> area's VA also needs to live outside this range, at least for 32-bit PV
> guests. To avoid extra is_hvm_*() conditionals, use the alternative VA
> uniformly.
>
> While this could be conditionalized upon CONFIG_PV32 &&
> CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS, omitting such extra conditionals
> keeps the code more legible imo.
>
> Fixes: 4dc181599142 ("x86/PV: harden guest memory accesses against 
> speculative abuse")
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>
> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -1727,6 +1727,11 @@ void init_xen_l4_slots(l4_pgentry_t *l4t
>                 (ROOT_PAGETABLE_FIRST_XEN_SLOT + slots -
>                  l4_table_offset(XEN_VIRT_START)) * sizeof(*l4t));
>      }
> +
> +    /* Slot 511: Per-domain mappings mirror. */
> +    if ( !is_pv_64bit_domain(d) )
> +        l4t[l4_table_offset(PERDOMAIN2_VIRT_START)] =
> +            l4e_from_page(d->arch.perdomain_l3_pg, __PAGE_HYPERVISOR_RW);

This virtual address is inside the extended directmap.  You're going to
need to rearrange more things than just this, to make it safe.

While largely a theoretical risk as far as the directmap goes, there is
now a rather higher risk of colliding with the ERR_PTR() range.  Its bad
enough this infrastructure is inherently unsafe with 64bit PV guests,

~Andrew



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.