[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v2 9/9] x86/shadow: harden shadow_size()
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Thu, 12 Jan 2023 10:31:11 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fgzrP60jBfGrPQdP/DsLEQGZ1cWMKjUiLE91ksIgTHc=; b=DZNZViFJ4rS9YeMGjGfD6zO9QWZqPFvVQT6hEEVjCT8x+9m04mAY8gltzilZhID69Nldxo7QWtJgEXLKy431qL3uQ+XZdjF2RnM5gpnEdtsfB6NmfyF9N57zQ+sJQ2hVq9IdtC47SxDHPisq7o+2XixpbBT51bLBkIDV+kq0XhOWbZY69Zhajx+Xiftx+TN3zMZJDutFGFPAzz4lB61aG9UMFdQvp7uzk4WsWuD37PJd9Zn4K5d+pFR5iRL+kx36AHIZ8NPcOsNxCe6p9GCTPmTutJsSCE0NAQoyXzo8h0GHV12LaNOlDt5imAXTViQ33TCdrzHqWlvy+13eZ35hQQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mNxOq3D+U3iDH941E8zovEiXM9wvX9hNhC+g/NGLvoPwRc3LNZX0vgwvE/KX/BlQVXKOp0IxOCZjAQk8slVoZEvepU3d5jp5cAOikEi2XgHhOax2pInFj3AxinFhcxGJtP8h9aWhIrPXqaH0SO/Z2Fl391fvD1Fyv19whmoGTiKKOCIUHQlrWU7As6YDCPOhcoZu4JWEMFaycauPIjw3m9Cy67k9EVFCe6tJEG2IEv2cRBS/HoX15NxkrXKr+sRwqs1DIqbKLE5GBe/mKGJk4gFGtyCu7JOjgQF0TnU7sPLxoe/+6vx7C4QJnWb9u5qUlfNeOzp7+C3Qt0jOF8KDhw==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, "Tim (Xen.org)" <tim@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Thu, 12 Jan 2023 10:31:33 +0000
- Ironport-data: A9a23:Yl1OgarzlFnY5nJ8W73dSnufNq9eBmIpZBIvgKrLsJaIsI4StFCzt garIBmBaKmKNmSmfYpzYYvlox4Au57cn9VmTQQ6qCgxRi5Go5uZCYyVIHmrMnLJJKUvbq7FA +Y2MYCccZ9uHhcwgj/3b9ANeFEljfngqoLUUbKCYWYpAFc+E0/NsDo788YhmIlknNOlNA2Ev NL2sqX3NUSsnjV5KQr40YrawP9UlKm06W1wUmAWP6gR5weHziNNVfrzGInqR5fGatgMdgKFb 76rIIGRpgvx4xorA9W5pbf3GmVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0MC+7vw6hjdFpo OihgLTrIesf0g8gr8xGO/VQO3kW0aSrY9YrK1Dn2SCY5xWun3cBX5yCpaz5VGEV0r8fPI1Ay RAXADMmbkuGiL6R+riEe7J8rOU8D+36AbpK7xmMzRmBZRonabbqZv2WoPpnhnI3jM0IGuvCb c0EbzYpdA7HfxBEJlYQDtQ5gfusgX78NTZfrTp5p4JuuzSVkFM3j+OraYWIEjCJbZw9ckKwj 2TK5WnmRDodM8SS02Gt+XOwnO7f2yj8Xer+EZXpr6Qz3QPJlwT/DjUndmWCodOesneldNxxL EAm9XILsIMtoRnDot7VGkfQTGS/lhwWVsdUEuY6wBqQ0aeS6AGcbkAbShZRZdpgs9U5LRQ21 1qhj97vQzt1v9W9WX+bs7uZsz62ESwUNnMZIz8JSxMf5Nvuq511iQjAJuuPC4awh9zxXDTvm TaDqXBig61J1JFWkaKm4VrAnjSg4IDTSRI47RnWWWTj6R5lYImiZMqj7l2zAet8Ebt1h2Kp5 BAs8/VyJshVZX1RvERhmNkwIYw=
- Ironport-hdrordr: A9a23:nJmgaatOZBz9ZcLVw896ER3B7skDctV00zEX/kB9WHVpm6uj+/ xG/c516faQsl0ssR4b9+xoVJPgfZq/z+8X3WBhB9eftWDd0QPDQb2KhrGSoQEIdReOktJ15O NNdLV/Fc21LXUSt7ec3OBgKadE/OW6
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHZJcS6xQlTtpJxX0O79yAhgOZJ+66Z2cOAgACwbwCAAAw+gA==
- Thread-topic: [PATCH v2 9/9] x86/shadow: harden shadow_size()
On 12/01/2023 9:47 am, Jan Beulich wrote:
> On 12.01.2023 00:15, Andrew Cooper wrote:
>> On 11/01/2023 1:57 pm, Jan Beulich wrote:
>>> Make HVM=y release build behavior prone against array overrun, by
>>> (ab)using array_access_nospec(). This is in particular to guard against
>>> e.g. SH_type_unused making it here unintentionally.
>>>
>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>>> ---
>>> v2: New.
>>>
>>> --- a/xen/arch/x86/mm/shadow/private.h
>>> +++ b/xen/arch/x86/mm/shadow/private.h
>>> @@ -27,6 +27,7 @@
>>> // been included...
>>> #include <asm/page.h>
>>> #include <xen/domain_page.h>
>>> +#include <xen/nospec.h>
>>> #include <asm/x86_emulate.h>
>>> #include <asm/hvm/support.h>
>>> #include <asm/atomic.h>
>>> @@ -368,7 +369,7 @@ shadow_size(unsigned int shadow_type)
>>> {
>>> #ifdef CONFIG_HVM
>>> ASSERT(shadow_type < ARRAY_SIZE(sh_type_to_size));
>>> - return sh_type_to_size[shadow_type];
>>> + return array_access_nospec(sh_type_to_size, shadow_type);
>> I don't think this is warranted.
>>
>> First, if the commit message were accurate, then it's a problem for all
>> arrays of size SH_type_unused, yet you've only adjusted a single instance.
> Because I think the risk is higher here than for other arrays. In
> other cases we have suitable build-time checks (HASH_CALLBACKS_CHECK()
> in particular) which would trip upon inappropriate use of one of the
> types which are aliased to SH_type_unused when !HVM.
>
>> Secondly, if it were reliably 16 then we could do the basically-free
>> "type &= 15;" modification. (It appears my change to do this
>> automatically hasn't been taken yet.), but we'll end up with lfence
>> variation here.
> How could anything be "reliably 16"? Such enums can change at any time:
> They did when making HVM types conditional, and they will again when
> adding types needed for 5-level paging.
>
>> But the value isn't attacker controlled. shadow_type always comes from
>> Xen's metadata about the guest, not the guest itself. So I don't see
>> how this can conceivably be a speculative issue even in principle.
> I didn't say anything about there being a speculative issue here. It
> is for this very reason that I wrote "(ab)using".
Then it is entirely wrong to be using a nospec accessor.
Speculation problems are subtle enough, without false uses of the safety
helpers.
If you want to "harden" against runtime architectural errors, you want
to up the ASSERT() to a BUG(), which will execute faster than sticking
an hiding an lfence in here, and not hide what is obviously a major
malfunction in the shadow pagetable logic.
~Andrew
|
