[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH L1TF MDS GT v1 2/3] common/grant_table: harden bound accesses

  • To: Norbert Manthey <nmanthey@xxxxxxxxx>
  • From: Jan Beulich <JBeulich@xxxxxxxx>
  • Date: Wed, 10 Jul 2019 11:59:29 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=suse.com;dmarc=pass action=none header.from=suse.com;dkim=pass header.d=suse.com;arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2CVM5TRaMtwUCg2wR7qoi2d47a8fDbbxpZG3B7flG18=; b=jkukKBtjUP0mZMt4j0P/Qp3wjSQSUkiWEAzVfLtkkeor0drY3hZGRZ/kmCIQjGxI5Ghv325FH7D1pkiNu4yDi0T+f1YhbF+d8QA29ifUXvTeuqZ3M3W5uduvIxo3ov7kWGnohcI2iEfwws9ZYcdWG3WgnM8kIgRYmZvKMtqUR+SyEpwB7JI0iKsvG4dIdKTA6Odszfsf5jKsuzk0u7Yn8oG3wmNi4nv7zAzmpX4V3vO5umVAzazSNgykkRcNrGLCGXLfDSlq2ikfI2AyBufgqSOP8bxG51z0qBFFAyeEZ9wmgx9Qyqt0F7VFuetLXe0jQfFDsdZtdpxO98LMv+ooNw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bkhv/UbQ2+ZKjcaBxf2aTJ1SO66fp8926shkbZPTDlm7wRFyp1BpztvbA9y9pO8YWJc5rmoImRATGIu6HwwaTJ/ipX3fFanB7rK7iUAdOaDd8GrmCZOxOqF2q0BObt91Lw2khCH1EKpH9N/vc090dMeKsvAIoBHkZa+HJ/QmFF6R69sWU11e03h1TUprXJy05t6S7yFs+LTPPOybhPfALPRb/BdFGex+JXavipjlv1Omn/nAqVhoJd4lBA2g8znOXNZfhRiAuwJwaYHjT8NKDiU44+457fYUshVvER/B7L3+j76tek44uykBrhmsB4o0GxL5w4bx7s0e9RU87c/V8A==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=JBeulich@xxxxxxxx;
  • Cc: Juergen Gross <JGross@xxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, KonradRzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, IanJackson <Ian.Jackson@xxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, "wipawel@xxxxxxxxx" <wipawel@xxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxxxx>, "Martin Mazein\(amazein\)" <amazein@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Bjoern Doebel <doebel@xxxxxxxxx>
  • Delivery-date: Wed, 10 Jul 2019 12:09:35 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVNYznzzKh5NhX7k+L3inK3UdaXabDTtWAgABAngeAADNMAA==
  • Thread-topic: [PATCH L1TF MDS GT v1 2/3] common/grant_table: harden bound accesses
On 10.07.2019 10:54, Norbert Manthey wrote:
> On 7/10/19 05:04, Jan Beulich wrote:
>> On 08.07.2019 14:58, Norbert Manthey wrote:
>>> On 5/24/19 13:10, Jan Beulich wrote:
>>>>>>> On 24.05.19 at 11:54, <nmanthey@xxxxxxxxx> wrote:
>>>>> On 5/23/19 16:17, Jan Beulich wrote:
>>>>>>>>> On 21.05.19 at 09:45, <nmanthey@xxxxxxxxx> wrote:
>>>>>>> --- a/xen/common/grant_table.c
>>>>>>> +++ b/xen/common/grant_table.c
>>>>>>> @@ -988,9 +988,10 @@ map_grant_ref(
>>>>>>>            PIN_FAIL(unlock_out, GNTST_bad_gntref, "Bad ref %#x for 
>>>>>>> d%d\n",
>>>>>>>                     op->ref, rgt->domain->domain_id);
>>>>>>>    
>>>>>>> -    act = active_entry_acquire(rgt, op->ref);
>>>>>>> +    /* This call also ensures the above check cannot be passed 
>>>>>>> speculatively */
>>>>>>>        shah = shared_entry_header(rgt, op->ref);
>>>>>>>        status = rgt->gt_version == 1 ? &shah->flags : 
>>>>>>> &status_entry(rgt, op->ref);
>>>>>>> +    act = active_entry_acquire(rgt, op->ref);
>>>>>> I know we've been there before, but what guarantees that the
>>>>>> compiler won't reload op->ref from memory for either of the
>>>>>> latter two accesses? In fact afaict it always will, due to the
>>>>>> memory clobber in alternative().
>>>>> The compiler can reload op->ref from memory, that is fine here, as the
>>>>> bound check happens above, and the shared_entry call comes with an
>>>>> lfence() by now, so that we will not continue executing speculatively
>>>>> with op->ref being out-of-bounds, independently of whether it's from
>>>>> memory or registers.
>>>> I don't buy this argumentation: In particular if the cache line got
>>>> flushed for whatever reason, the load may take almost arbitrarily
>>>> long, opening up a large speculation window again using the
>>>> destination register of the load (whatever - not bounds checked -
>>>> value that ends up holding).
>>> I agree, the given protection does not force the CPU to pick up the
>>> fixed value. As you already noticed, the presented fix might not work in
>>> all cases, but is among the suitable solutions we have today to prevent
>>> simple user controlled out-of-bound accesses during speculation. Relying
>>> on the stale value of the register that might be used during speculation
>>> makes a potential out-of-bound access much more difficult. Hence, the
>>> proposed solution looks good enough to me.
>> But using a local variable further reduces the risk afaict: Either
>> the compiler puts it into a register, in which case we're entirely
>> fine. Or it puts it on the stack, which I assume is more likely to
>> stay in cache than a reference to some other data structure (iirc
>> also on the stack, but not in the current frame).
> If you want me to introduce a local variable, I can do that. I remember
> we had discussions around that as well.

I think this would be (at least slightly) better, yes.

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.