Xen project Mailing List

Re: [Xen-devel] [PATCH L1TF MDS GT v2 2/2] common/grant_table: harden version dependent accesses

To: Norbert Manthey <nmanthey@xxxxxxxxx>

Date: Thu, 11 Jul 2019 12:52:28 +0000

Accept-language: en-US

Authentication-results: spf=none (sender IP is ) smtp.mailfrom=JBeulich@xxxxxxxx;

Cc: Juergen Gross <JGross@xxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, KonradRzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, IanJackson <ian.jackson@xxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, Pawel Wieczorkiewicz <wipawel@xxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxxxx>, Martin Mazein <amazein@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Bjoern Doebel <doebel@xxxxxxxxx>

Delivery-date: Thu, 11 Jul 2019 13:17:35 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHVNx797H4kFsFQpE+CSmXDhIWzgKbFYL8A

Thread-topic: [PATCH L1TF MDS GT v2 2/2] common/grant_table: harden version dependent accesses

On 10.07.2019 14:54, Norbert Manthey wrote: > Guests can issue grant table operations and provide guest controlled > data to them. This data is used as index for memory loads after bound > checks have been done. Depending on the grant table version, the > size of elements in containers differ. As the base data structure is > a page, the number of elements per page also differs. Consequently, > bound checks are version dependent, so that speculative execution can > happen in several stages, the bound check as well as the version check. > > This commit mitigates cases where out-of-bound accesses could happen > due to the version comparison. In cases, where no different memory > locations are accessed on the code path that follow an if statement, > no protection is required. No different memory locations are accessed > in the following functions after a version check: > > * gnttab_setup_table: only calculated numbersi are used, and then > function gnttab_grow_table is called, which is version protected > > * gnttab_transfer: the case that depends on the version check just gets > into copying a page or not > > * acquire_grant_for_copy: the not fixed comparison is on the abort path > and does not access other structures, and on the else branch > accesses only structures that have been validated before > > * gnttab_set_version: all accessible data is allocated for both versions On v1 I did say "The very first loop is safe only because nr_grant_entries() is." But anyway, ... > Furthermore, the functions gnttab_populate_status_frames and > gnttab_unpopulate_status_frames received a block_speculation > macro. Hence, this code will only be executed once the correct > version is visible in the architectural state. > > * gnttab_release_mappings: this function is called only during domain > destruction and control is not returned to the guest > > * mem_sharing_gref_to_gfn: speculation will be stoped by the second if > statement, as that places a barrier on any path to be executed. > > * gnttab_get_status_frame_mfn: no version dependent check, because all > accesses, except the gt->status[idx], do not perform index-based > accesses, or speculative out-of-bound accesses in the > gnttab_grow_table function call. > > * gnttab_usage_print: cannot be triggered by the guest > > This is part of the speculative hardening effort. > > Signed-off-by: Norbert Manthey <nmanthey@xxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.