[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH SpectreV1+L1TF v4 08/11] xen/evtchn: block speculative out-of-bound accesses

To: <nmanthey@xxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Fri, 25 Jan 2019 02:23:32 -0700
Cc: Tim Deegan <tim@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxxxx>, "Martin Mazein\(amazein\)" <amazein@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Julian Stecklina <jsteckli@xxxxxxxxx>, Bjoern Doebel <doebel@xxxxxxxxx>
Delivery-date: Fri, 25 Jan 2019 09:23:47 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 24.01.19 at 20:50, <nmanthey@xxxxxxxxx> wrote:
> On 1/24/19 17:56, Jan Beulich wrote:
>>>>> On 23.01.19 at 12:57, <nmanthey@xxxxxxxxx> wrote:
>>> --- a/xen/common/event_channel.c
>>> +++ b/xen/common/event_channel.c
>>> @@ -368,8 +368,14 @@ int evtchn_bind_virq(evtchn_bind_virq_t *bind, 
>>> evtchn_port_t port)
>>>      if ( virq_is_global(virq) && (vcpu != 0) )
>>>          return -EINVAL;
>>>  
>>> +   /*
>>> +    * Make sure the guest controlled value virq is bounded even during
>>> +    * speculative execution.
>>> +    */
>>> +    virq = array_index_nospec(virq, ARRAY_SIZE(v->virq_to_evtchn));
>> I think this wants to move ahead of the if() in context, to be independent
>> of the particular implementation of virq_is_global() (the current shape of
>> which is mostly fine, perhaps with the exception of the risk of the compiler
>> translating the switch() there by way of a jump table). This also moves it
>> closer to the if() the construct is a companion to.
> I understand the concern. However, because the value of virq would be
> changed before the virq_is_global check, couldn't that result in
> returning a wrong error code? The potential out-of-bound value is
> brought back into the valid range, so that the above check might fire
> incorrectly?

No - and incorrect (out of bounds value) making it into virq_is_global()
is possible during mis-speculation only anyway. Out of range values,
for the purpose of architecturally visible state, get rejected by the
first if(). In range values won't be altered by array_index_nospec().

>>> @@ -931,7 +943,8 @@ long evtchn_bind_vcpu(unsigned int port, unsigned int 
>>> vcpu_id)
>>>      struct evtchn *chn;
>>>      long           rc = 0;
>>>  
>>> -    if ( (vcpu_id >= d->max_vcpus) || (d->vcpu[vcpu_id] == NULL) )
>>> +    if ( (vcpu_id >= d->max_vcpus) ||
>>> +         (d->vcpu[array_index_nospec(vcpu_id, d->max_vcpus)] == NULL) )
>>>          return -ENOENT;
>>>  
>>>      spin_lock(&d->event_lock);
>>> @@ -969,8 +982,10 @@ long evtchn_bind_vcpu(unsigned int port, unsigned int 
>>> vcpu_id)
>>>          unlink_pirq_port(chn, d->vcpu[chn->notify_vcpu_id]);
>>>          chn->notify_vcpu_id = vcpu_id;
>>>          pirq_set_affinity(d, chn->u.pirq.irq,
>>> -                          cpumask_of(d->vcpu[vcpu_id]->processor));
>>> -        link_pirq_port(port, chn, d->vcpu[vcpu_id]);
>>> +                          cpumask_of(d->vcpu[array_index_nospec(vcpu_id,
>>> +                                                                
>>> d->max_vcpus)]->processor));
>>> +        link_pirq_port(port, chn, d->vcpu[array_index_nospec(vcpu_id,
>>> +                                                             
>>> d->max_vcpus)]);
>> Using Andrew's new domain_vcpu() will improve readability, especially
>> after your change, quite a bit here. But of course code elsewhere will
>> benefit as well.
> 
> You mean I should use the domain_vcpu function in both hunks, because
> due to the first one, the latter can never return NULL? I will rebase
> the series on top of this fresh change, and use the domain_vcpu function
> for the locations where I bound a vcpu_id.

Thanks - that why Andrew had dusted off this old change of his.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

References:
- [Xen-devel] SpectreV1+L1TF Patch Series
  - From: Norbert Manthey
- [Xen-devel] [PATCH SpectreV1+L1TF v4 08/11] xen/evtchn: block speculative out-of-bound accesses
  - From: Norbert Manthey
- Re: [Xen-devel] [PATCH SpectreV1+L1TF v4 08/11] xen/evtchn: block speculative out-of-bound accesses
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH SpectreV1+L1TF v4 08/11] xen/evtchn: block speculative out-of-bound accesses
  - From: Norbert Manthey

Prev by Date: Re: [Xen-devel] [PATCH SpectreV1+L1TF v4 01/11] is_control_domain: block speculation
Next by Date: Re: [Xen-devel] [PATCH v6 1/3] xen/pt: fix some pass-thru devices don't work across reboot
Previous by thread: Re: [Xen-devel] [PATCH SpectreV1+L1TF v4 08/11] xen/evtchn: block speculative out-of-bound accesses
Next by thread: [Xen-devel] [PATCH SpectreV1+L1TF v4 09/11] x86/vioapic: block speculative out-of-bound accesses
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.