[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH][4.15] x86: mirror compat argument translation area for 32-bit PV

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Mon, 22 Feb 2021 16:47:38 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CgvN37ACd1a4UDwjqHLdcvk+kqIiDrpjX4DXrjugPZA=; b=HG6hxGPsXaG8KBAdPAo6aIG/u3Ir65j7YC1GbOnKNG2B5Pqw6074jLxPOflmBsP62xLwg1TVLl6zxwetWNtF9toelZyS46/qndwkEyEb5HNZk9HyAyCGq2bpaheWJB0uFFJQre8v654fg/zYglgOlxyOOFJNGYA7RBSlzmAmDRorwJSLOLxoI31kup9ahzBeGa5t8ybyegnRArtfryFG0z0F1WuVm0fS0WIBz/Cgd+KHkOUzdS87bwYUwPuDl0oNCW6CG6va0oT5c2elxjOIcbsoq4Mr2jRyQpG95oNxI2RTFUlGTEKfgvS1XWp7/QdNjQI887hub6RUP3U5qw3Qow==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fwi+1G9YCfb4x5t+I8mjYX2IPzdx1xg7NoOViSEErhZxAb0V1gJzd3E8Fe+qF45mG44VWdEXD1bqpttqIJo43mO2fXx0SjYZPiVO5XsRUFy+iv3Dg0hWHdBIDlraiLqWZh99s3OXAUJ3CyjZJivVcPo3afuPd15FC/kqFDLvRsA8lYeshA1yrekNSaCj9dxXvmpymqhOkfXk0FzNmJGnfhx5PGWBoWaM+FbXC3R5B3kK19ytemCFnJZAfrbnpqW/HGqNL6hkxjKvPqULtT+TqJsgzh5MzNJLHswGNwZ0wTQS5pbCHFC1PTsg+DDlCTUfbAOWdP6DDl6jXl+pUJjaYA==
  • Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 22 Feb 2021 16:48:00 +0000
  • Ironport-sdr: dU2ipOSJKeeWvGzD4D/f5b3G7ZNwAuB75RxitbE2hWi8YRfUKekA4Rkyg5s0xnmh22cUF1JKNS SQDNanqkr1Y7FLPImNH+aHL+OtXqIFZTJtL7XovMNUleeZcRLsuKjroHcgQ8hKikbDTWAAlMim z8O0RO4BpWEggdu02XuZa1E00agX6SGrlHURPPYYysqyXftjnGATkH9nchYLXp1xAfTNxjY8Q7 hpAXqf6yfeqeGIrAnvOAD7UiIJ8SZHpMUtvXnmzxxNqv7dGrllvX8zkmk8fJqnxUWoYksqE3Cc LDU=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 22/02/2021 14:22, Jan Beulich wrote:
> On 22.02.2021 15:14, Andrew Cooper wrote:
>> On 22/02/2021 10:27, Jan Beulich wrote:
>>> Now that we guard the entire Xen VA space against speculative abuse
>>> through hypervisor accesses to guest memory, the argument translation
>>> area's VA also needs to live outside this range, at least for 32-bit PV
>>> guests. To avoid extra is_hvm_*() conditionals, use the alternative VA
>>> uniformly.
>>>
>>> While this could be conditionalized upon CONFIG_PV32 &&
>>> CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS, omitting such extra conditionals
>>> keeps the code more legible imo.
>>>
>>> Fixes: 4dc181599142 ("x86/PV: harden guest memory accesses against 
>>> speculative abuse")
>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>
>>> --- a/xen/arch/x86/mm.c
>>> +++ b/xen/arch/x86/mm.c
>>> @@ -1727,6 +1727,11 @@ void init_xen_l4_slots(l4_pgentry_t *l4t
>>>                 (ROOT_PAGETABLE_FIRST_XEN_SLOT + slots -
>>>                  l4_table_offset(XEN_VIRT_START)) * sizeof(*l4t));
>>>      }
>>> +
>>> +    /* Slot 511: Per-domain mappings mirror. */
>>> +    if ( !is_pv_64bit_domain(d) )
>>> +        l4t[l4_table_offset(PERDOMAIN2_VIRT_START)] =
>>> +            l4e_from_page(d->arch.perdomain_l3_pg, __PAGE_HYPERVISOR_RW);
>> This virtual address is inside the extended directmap.
> No. That one covers only the range excluding the last L4 slot.
>
>>   You're going to
>> need to rearrange more things than just this, to make it safe.
> I specifically picked that entry because I don't think further
> arrangements are needed.

map_domain_page() will blindly hand this virtual address if an
appropriate mfn is passed, because there are no suitability checks.

The error handling isn't great, but at least any attempt to use that
pointer would fault, which is now no longer the case.

LA57 machines can have RAM or NVDIMMs in a range which will tickle this
bug.  In fact, they can have MFNs which would wrap around 0 into guest
space.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.