[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.14] evtchn/x86: enforce correct upper limit for 32-bit guests



commit b8c2efbe7b3e8fa5f0b0a3679afccd1204949070
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Sep 22 16:13:34 2020 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 22 16:13:34 2020 +0200

    evtchn/x86: enforce correct upper limit for 32-bit guests
    
    The recording of d->max_evtchns in evtchn_2l_init(), in particular with
    the limited set of callers of the function, is insufficient. Neither for
    PV nor for HVM guests the bitness is known at domain_create() time, yet
    the upper bound in 2-level mode depends upon guest bitness. Recording
    too high a limit "allows" x86 32-bit domains to open not properly usable
    event channels, management of which (inside Xen) would then result in
    corruption of the shared info and vCPU info structures.
    
    Keep the upper limit dynamic for the 2-level case, introducing a helper
    function to retrieve the effective limit. This helper is now supposed to
    be private to the event channel code. The used in do_poll() and
    domain_dump_evtchn_info() weren't consistent with port uses elsewhere
    and hence get switched to port_is_valid().
    
    Furthermore FIFO mode's setup_ports() gets adjusted to loop only up to
    the prior ABI limit, rather than all the way up to the new one.
    
    Finally a word on the change to do_poll(): Accessing ->max_evtchns
    without holding a suitable lock was never safe, as it as well as
    ->evtchn_port_ops may change behind do_poll()'s back. Using
    port_is_valid() instead widens some the window for potential abuse,
    until we've dealt with the race altogether (see XSA-343).
    
    This is XSA-342.
    
    Reported-by: Julien Grall <jgrall@xxxxxxxxxx>
    Fixes: 48974e6ce52e ("evtchn: use a per-domain variable for the max number 
of event channels")
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
    Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
---
 xen/common/event_2l.c      | 1 -
 xen/common/event_channel.c | 6 ++----
 xen/common/event_fifo.c    | 9 +++++----
 xen/common/sched/core.c    | 2 +-
 xen/include/xen/event.h    | 6 ++++++
 xen/include/xen/sched.h    | 1 -
 6 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/xen/common/event_2l.c b/xen/common/event_2l.c
index e1dbb860f4..a229d35271 100644
--- a/xen/common/event_2l.c
+++ b/xen/common/event_2l.c
@@ -103,7 +103,6 @@ static const struct evtchn_port_ops evtchn_port_ops_2l =
 void evtchn_2l_init(struct domain *d)
 {
     d->evtchn_port_ops = &evtchn_port_ops_2l;
-    d->max_evtchns = BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d);
 }
 
 /*
diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
index 53c17bd354..08ffe0f063 100644
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -151,7 +151,7 @@ static void free_evtchn_bucket(struct domain *d, struct 
evtchn *bucket)
 
 int evtchn_allocate_port(struct domain *d, evtchn_port_t port)
 {
-    if ( port > d->max_evtchn_port || port >= d->max_evtchns )
+    if ( port > d->max_evtchn_port || port >= max_evtchns(d) )
         return -ENOSPC;
 
     if ( port_is_valid(d, port) )
@@ -1396,13 +1396,11 @@ static void domain_dump_evtchn_info(struct domain *d)
 
     spin_lock(&d->event_lock);
 
-    for ( port = 1; port < d->max_evtchns; ++port )
+    for ( port = 1; port_is_valid(d, port); ++port )
     {
         const struct evtchn *chn;
         char *ssid;
 
-        if ( !port_is_valid(d, port) )
-            continue;
         chn = evtchn_from_port(d, port);
         if ( chn->state == ECS_FREE )
             continue;
diff --git a/xen/common/event_fifo.c b/xen/common/event_fifo.c
index 230f440f14..2f13d92128 100644
--- a/xen/common/event_fifo.c
+++ b/xen/common/event_fifo.c
@@ -478,7 +478,7 @@ static void cleanup_event_array(struct domain *d)
     d->evtchn_fifo = NULL;
 }
 
-static void setup_ports(struct domain *d)
+static void setup_ports(struct domain *d, unsigned int prev_evtchns)
 {
     unsigned int port;
 
@@ -488,7 +488,7 @@ static void setup_ports(struct domain *d)
      * - save its pending state.
      * - set default priority.
      */
-    for ( port = 1; port < d->max_evtchns; port++ )
+    for ( port = 1; port < prev_evtchns; port++ )
     {
         struct evtchn *evtchn;
 
@@ -546,6 +546,8 @@ int evtchn_fifo_init_control(struct evtchn_init_control 
*init_control)
     if ( !d->evtchn_fifo )
     {
         struct vcpu *vcb;
+        /* Latch the value before it changes during setup_event_array(). */
+        unsigned int prev_evtchns = max_evtchns(d);
 
         for_each_vcpu ( d, vcb ) {
             rc = setup_control_block(vcb);
@@ -562,8 +564,7 @@ int evtchn_fifo_init_control(struct evtchn_init_control 
*init_control)
             goto error;
 
         d->evtchn_port_ops = &evtchn_port_ops_fifo;
-        d->max_evtchns = EVTCHN_FIFO_NR_CHANNELS;
-        setup_ports(d);
+        setup_ports(d, prev_evtchns);
     }
     else
         rc = map_control_block(v, gfn, offset);
diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c
index cb49a8bc02..ab94d2ec3a 100644
--- a/xen/common/sched/core.c
+++ b/xen/common/sched/core.c
@@ -1428,7 +1428,7 @@ static long do_poll(struct sched_poll *sched_poll)
             goto out;
 
         rc = -EINVAL;
-        if ( port >= d->max_evtchns )
+        if ( !port_is_valid(d, port) )
             goto out;
 
         rc = 0;
diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h
index c35f4b23b6..e1b299e8df 100644
--- a/xen/include/xen/event.h
+++ b/xen/include/xen/event.h
@@ -105,6 +105,12 @@ void notify_via_xen_event_channel(struct domain *ld, int 
lport);
 #define bucket_from_port(d, p) \
     ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET])
 
+static inline unsigned int max_evtchns(const struct domain *d)
+{
+    return d->evtchn_fifo ? EVTCHN_FIFO_NR_CHANNELS
+                          : BITS_PER_EVTCHN_WORD(d) * BITS_PER_EVTCHN_WORD(d);
+}
+
 static inline bool_t port_is_valid(struct domain *d, unsigned int p)
 {
     if ( p >= read_atomic(&d->valid_evtchns) )
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index ac53519d7f..545f2bdcd0 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -359,7 +359,6 @@ struct domain
     /* Event channel information. */
     struct evtchn   *evtchn;                         /* first bucket only */
     struct evtchn  **evtchn_group[NR_EVTCHN_GROUPS]; /* all other buckets */
-    unsigned int     max_evtchns;     /* number supported by ABI */
     unsigned int     max_evtchn_port; /* max permitted port number */
     unsigned int     valid_evtchns;   /* number of allocated event channels */
     spinlock_t       event_lock;
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.14



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.