[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 9/9] x86/shadow: harden shadow_size()

  • To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 18 Jan 2023 15:13:44 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=M2BD3I1J1B1A53Sw6NFpEzt0QkfOGaSkop18+jYiq3Q=; b=bVs6e+S4fsiy8X48gTexmYkS2fsU0b1Vy88ZXB7n1/eSW/QlDP1TyDlsHnhF1J/3QNTk4z0RAXrxvtt9+bSEu8bBNC4VGVZKqhxUSnXj8Mt9rwj3vyiWAAxFXnJH43QY9y5iDXPOSoBU7DWvRsd6f+Ya2HWYxR6t5SdIboLiVxD4dYNOgKOQBJaiLIB7Y8vwbmh1vb07Qo+S9xFFUE0vFUP5LKeoIYYGa7eGHMy0YnW/dHy0xaU/urTARR/IpMVG2L23a6GzNK3lSoDHKqD6Pcp4e/9DFCximJCG1Oc3+gry5+O+X9oA++yUPxOVIZGC2cX/WUHk6r+o2ndDGbJxMQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ffNwAn3ZkYa+csEaJ9Qw+YvgacBgiysQMSfgLab/a2vDq7PY3BT2A+vcCb4Rgpg353iKvKgWg0Zo0UgPaOuvcxoqWLVEpXAqxSP1m9Lj/gyD0sTuTpXDZdb3BBwcyvNSp+gItrhfAVGu/z9eHvf0uchr5DDZpooa8I+aWdV8cqP3ffxuJfK0cOnKeSKPz44cHUKb5UItFKGCweCdWElJ9+coNpVqFaouCDtuAe2T15RZMUIByQFFF/MtUJT7zV8FAmSZYAw48n0c476gOq8kkfghVlw5QAI6crR9jsin5ItUgqWAKNoxNXlvVYlXz9SvHWXBv6LR7NUj1tYKAV4czA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, "Tim (Xen.org)" <tim@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 18 Jan 2023 14:14:07 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 17.01.2023 20:13, Andrew Cooper wrote:
> On 12/01/2023 10:42 am, Jan Beulich wrote:
>> On 12.01.2023 11:31, Andrew Cooper wrote:
>>> On 12/01/2023 9:47 am, Jan Beulich wrote:
>>>> On 12.01.2023 00:15, Andrew Cooper wrote:
>>>>> On 11/01/2023 1:57 pm, Jan Beulich wrote:
>>>>>> Make HVM=y release build behavior prone against array overrun, by
>>>>>> (ab)using array_access_nospec(). This is in particular to guard against
>>>>>> e.g. SH_type_unused making it here unintentionally.
>>>>>>
>>>>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>>>> ---
>>>>>> v2: New.
>>>>>>
>>>>>> --- a/xen/arch/x86/mm/shadow/private.h
>>>>>> +++ b/xen/arch/x86/mm/shadow/private.h
>>>>>> @@ -27,6 +27,7 @@
>>>>>>  // been included...
>>>>>>  #include <asm/page.h>
>>>>>>  #include <xen/domain_page.h>
>>>>>> +#include <xen/nospec.h>
>>>>>>  #include <asm/x86_emulate.h>
>>>>>>  #include <asm/hvm/support.h>
>>>>>>  #include <asm/atomic.h>
>>>>>> @@ -368,7 +369,7 @@ shadow_size(unsigned int shadow_type)
>>>>>>  {
>>>>>>  #ifdef CONFIG_HVM
>>>>>>      ASSERT(shadow_type < ARRAY_SIZE(sh_type_to_size));
>>>>>> -    return sh_type_to_size[shadow_type];
>>>>>> +    return array_access_nospec(sh_type_to_size, shadow_type);
>>>>> I don't think this is warranted.
>>>>>
>>>>> First, if the commit message were accurate, then it's a problem for all
>>>>> arrays of size SH_type_unused, yet you've only adjusted a single instance.
>>>> Because I think the risk is higher here than for other arrays. In
>>>> other cases we have suitable build-time checks (HASH_CALLBACKS_CHECK()
>>>> in particular) which would trip upon inappropriate use of one of the
>>>> types which are aliased to SH_type_unused when !HVM.
>>>>
>>>>> Secondly, if it were reliably 16 then we could do the basically-free
>>>>> "type &= 15;" modification.  (It appears my change to do this
>>>>> automatically hasn't been taken yet.), but we'll end up with lfence
>>>>> variation here.
>>>> How could anything be "reliably 16"? Such enums can change at any time:
>>>> They did when making HVM types conditional, and they will again when
>>>> adding types needed for 5-level paging.
>>>>
>>>>> But the value isn't attacker controlled.  shadow_type always comes from
>>>>> Xen's metadata about the guest, not the guest itself.  So I don't see
>>>>> how this can conceivably be a speculative issue even in principle.
>>>> I didn't say anything about there being a speculative issue here. It
>>>> is for this very reason that I wrote "(ab)using".
>>> Then it is entirely wrong to be using a nospec accessor.
>>>
>>> Speculation problems are subtle enough, without false uses of the safety
>>> helpers.
>>>
>>> If you want to "harden" against runtime architectural errors, you want
>>> to up the ASSERT() to a BUG(), which will execute faster than sticking
>>> an hiding an lfence in here, and not hide what is obviously a major
>>> malfunction in the shadow pagetable logic.
>> I should have commented on this earlier already: What lfence are you
>> talking about?
> 
> The one I thought was hiding under array_access_nospec(), but I forgot
> we'd done the sbb trick.
> 
>> As to BUG() - the goal here specifically is to avoid a
>> crash in release builds, by forcing the function to return zero (via
>> having it use array slot zero for out of range indexes).
> 
> I'm very uneasy about having something this deep inside a component,
> which ASSERT()s correctness doing something custom like this "just to
> avoid crashing".
> 
> There is either something important which makes this more likely than
> most to go wrong at runtime, or there is not.  And honestly, I can't see
> why it is more risky at runtime.

Well, okay. I did explain why I think there is an increased risk here.

> If we really do need to clamp it, then we need a brand new helper with a
> name that doesn't reference speculation at all.  It's fine for *_nospec
> to reuse this helper, stating the safety of doing so, but at a code
> level there need to be two appropriately named helpers for their two
> logically-unrelated purposes.

I don't think anything can sensibly be made for more general purpose
(not speculation related) use. Here I'm specifically utilizing that
array slot 0 is being picked as the fallback slot _and_ that slot is
actually suitable. This may not be the case for other arrays.

Anyway - taking things together I will then simply consider the patch
rejected, despite it being a seemingly easy step of hardening.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.