Xen project Mailing List

Re: [Xen-devel] [PATCH 4/4] x86/vLAPIC: avoid speculative out of bounds accesses

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 4 Jul 2019 13:57:57 +0000

Accept-language: en-US

Authentication-results: spf=none (sender IP is ) smtp.mailfrom=JBeulich@xxxxxxxx;

Cc: Juergen Gross <JGross@xxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, "nmanthey@xxxxxxxxx" <nmanthey@xxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>

Delivery-date: Thu, 04 Jul 2019 13:58:49 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHVMm6mTJlD4xI56EKEmgGwHjiShqa6fAwA

Thread-topic: [Xen-devel] [PATCH 4/4] x86/vLAPIC: avoid speculative out of bounds accesses

On 04.07.2019 15:44, Andrew Cooper wrote: > On 31/01/2019 14:27, Jan Beulich wrote: >> Array indexes used in the MMIO and MSR read/write emulation functions >> are derived from guest controlled values. Restrict their ranges to limit >> the side effects of speculative execution. >> >> Remove the unused vlapic_lvt_{vector,dm}() instead of adjusting them. >> >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > > While they are all guest controlled, the MMIO side of things is on the > end of a function pointer call, which has already determined that the > access is within 4k. I don't think there any safety concerns here. I.e. are you suggesting there's no speculation through indirect calls? > guest_rdmsr_x2apic() does get values in the range 0x800...0xbff, so I > think this is the only case which needs protecting. What about vlapic_apicv_write(), which does get called directly? And what about the vlapic_lvt_mask[] accesses? Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.