[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: [PATCH 5/6] trace: fix security issues


  • To: Jan Beulich <JBeulich@xxxxxxxxxx>
  • From: George Dunlap <dunlapg@xxxxxxxxx>
  • Date: Thu, 1 Jul 2010 09:32:33 +0100
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 01 Jul 2010 01:33:36 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=GLkGxeODWMVcuF+pp1aHuvQMJ3iMZHpmcEAhiRlGE45VrUCI+0uWtDtrLlqFU2x6Nf 8wAguLW8GLedHg7BtpnLb3L7uy92tJhft8Tg67753VwbNzRKjNVLz0mH31RoqlN9CKyp KlRH+s9NREOEHfuroCP7XeUEwNFReHEEOlczQ=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>

On Thu, Jul 1, 2010 at 9:04 AM, Jan Beulich <JBeulich@xxxxxxxxxx> wrote:
> The point is to prevent the compiler from doing the memory reads
> more than once (which it is permitted to do on non-volatiles). As
> said in the submission comment, this could be done via barriers too,
> but one of the two has to be there.

I understand what the volatile modifier is supposed to do. :-)
(Although I think you've got it backwards -- it forces the compiler to
do memory reads every time, instead of doing them only once and
caching them in a register.)  My question is, why do you think the
volatile modifier is necessary?  What kinds of situations are you
trying to protect against?  What terrible havoc can a broken / rogue
xentrace binary wreak upon the hypervisor if we don't have the
volatiles in?

Moreover, the purpose of volatile is slightly different than memory
barriers.  AFAICT from the rather sparse documentation, "volatile"
doesn't prevent a compiler from re-ordering memory accesses that it
deems independent.  That's what the memory barriers are for.

At least one specific example where volatile helps would be appreciated.

> Not really - the buffer can't disappear if we make it here, it can only
> disappear when tb_init_done wasn't set yet. But if that's a major
> concern, I can of course put the check back into the locked region.

Hmm -- that happens to be the case now, but it's not guaranteed to be
that way forever, and this is essentially a "trap" laid for anyone who
changes that invariant.  At some point I would like to implement
re-sizable trace buffers, in which case the buffer may disappear after
tb_init_done is set. I'd rather not rely on my memory of this
discussion. :-)

> And wait, I think in the end there's no change needed at all -
> originally I thought going to the "unlock" label here is unsafe as
> the code there would de-reference buf, but started_below_highwater
> still being zero would prevent this.

Yes, that's in part what setting that was for.  I'll add a comment to
that effect.

> So I'll submit another version in any case, after we settled on
> whether using volatile qualifiers is acceptable here.

I've already got things in a nice patchqueue, including my modified
patches -- I'll just pull out the volatile code, make the simple
changes we've discussed, and post the patch queue.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.