[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH v2] x86/vLAPIC: avoid speculative out of bounds accesses

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <JBeulich@xxxxxxxx>
  • Date: Wed, 17 Jul 2019 16:02:55 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=suse.com;dmarc=pass action=none header.from=suse.com;dkim=pass header.d=suse.com;arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7yslL580Mkil9M70hJUBUralZXl+xHSCHvi6gp/y3nw=; b=P8XA6yHl7X6O5D+VsqIvh5g6HzI5p1jqASJXYY+02wtId8MD+IxLG7p7f0bJXToTzZErSUb/KVwh8hEPUCcHNUdt50vYjQVb8jlkaovb3E/5PMXfoOrRuWBWFIHfO09at6fF7Bv4G0yj0LFaE6RT2p8j3MbR4QNOEE3FwM3P+joeEk+U+fySj0SRd/w5t5xuZ1X+Ee2Q4snr7/aBebf7wVVKg7kQ2Mcdx5FohRR/XLpcVnKipKgdb/7A355iMvjz5tv18s1tgllSzfT4xXyxlXuFfUz5dh+LpsGqsG8Syvee63ohQX4IXHnnVNZhQGTiDROo9GVqjI820t19etFydw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Oe5gmz8RGfxJlq0+KYNqUvoe7NwoFdZKDrsR+EyUPzgcrgf899HWgCyWnO21dQ0qnOHX3cOjWQbHas7U/2CCq8McWMF27uVRjNw4OMt29bod028C8dWvtspbl39B/YfaBxVxZ1a8EqOfucKUHZHqYrj0OehDYKpNyuzFICvOcssofiHylB+rep7Gu32QO0n3GjBUifLGmyNW2j8QnIpkq3ThneQmk+hJ3BE7Gthh6ps/VHel2812jKIPUB4R1o/ybqmnjUg3tlem8tjNR4k5/HPXNHNH7Rn4wT+cFpqcbI0RGbkEf3phYPPAmZ2/QivZlvgnQbUaq5c0EaimLEL7DA==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=JBeulich@xxxxxxxx;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Wed, 17 Jul 2019 16:04:22 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVPLkYZF8+iP93okCS7B48MIFZhA==
  • Thread-topic: [PATCH v2] x86/vLAPIC: avoid speculative out of bounds accesses
Array indexes used in the MSR read/write emulation functions as well as
the direct VMX / APIC-V hook are derived from guest controlled values.
Restrict their ranges to limit the side effects of speculative
execution.

Along these lines also constrain the vlapic_lvt_mask[] access.

Remove the unused vlapic_lvt_{vector,dm}() instead of adjusting them.

This is part of the speculative hardening effort.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
v2: Drop changes to vlapic_mmio_{read,write}(). Drop
     VLAPIC_OFFSET_MASK(). Also tweak guest_wrmsr_x2apic().

--- a/xen/arch/x86/hvm/vlapic.c
+++ b/xen/arch/x86/hvm/vlapic.c
@@ -23,6 +23,7 @@
  #include <xen/domain.h>
  #include <xen/domain_page.h>
  #include <xen/event.h>
+#include <xen/nospec.h>
  #include <xen/trace.h>
  #include <xen/lib.h>
  #include <xen/sched.h>
@@ -65,12 +66,6 @@ static const unsigned int vlapic_lvt_mas
       LVT_MASK
  };
  
-#define vlapic_lvt_vector(vlapic, lvt_type)                     \
-    (vlapic_get_reg(vlapic, lvt_type) & APIC_VECTOR_MASK)
-
-#define vlapic_lvt_dm(vlapic, lvt_type)                         \
-    (vlapic_get_reg(vlapic, lvt_type) & APIC_MODE_MASK)
-
  #define vlapic_lvtt_period(vlapic)                              \
      ((vlapic_get_reg(vlapic, APIC_LVTT) & APIC_TIMER_MODE_MASK) \
       == APIC_TIMER_MODE_PERIODIC)
@@ -676,7 +671,7 @@ int guest_rdmsr_x2apic(const struct vcpu
      };
      const struct vlapic *vlapic = vcpu_vlapic(v);
      uint64_t high = 0;
-    uint32_t reg = msr - MSR_X2APIC_FIRST, offset = reg << 4;
+    uint32_t reg = msr - MSR_X2APIC_FIRST, offset;
  
      /*
       * The read side looks as if it might be safe to use outside of current
@@ -686,9 +681,14 @@ int guest_rdmsr_x2apic(const struct vcpu
      ASSERT(v == current);
  
      if ( !vlapic_x2apic_mode(vlapic) ||
-         (reg >= sizeof(readable) * 8) || !test_bit(reg, readable) )
+         (reg >= sizeof(readable) * 8) )
+        return X86EMUL_EXCEPTION;
+
+    reg = array_index_nospec(reg, sizeof(readable) * 8);
+    if ( !test_bit(reg, readable) )
          return X86EMUL_EXCEPTION;
  
+    offset = reg << 4;
      if ( offset == APIC_ICR )
          high = (uint64_t)vlapic_read_aligned(vlapic, APIC_ICR2) << 32;
  
@@ -867,7 +867,7 @@ void vlapic_reg_write(struct vcpu *v, un
      case APIC_LVTERR:       /* LVT Error Reg */
          if ( vlapic_sw_disabled(vlapic) )
              val |= APIC_LVT_MASKED;
-        val &= vlapic_lvt_mask[(reg - APIC_LVTT) >> 4];
+        val &= array_access_nospec(vlapic_lvt_mask, (reg - APIC_LVTT) >> 4);
          vlapic_set_reg(vlapic, reg, val);
          if ( reg == APIC_LVT0 )
          {
@@ -957,7 +957,7 @@ static int vlapic_mmio_write(struct vcpu
  int vlapic_apicv_write(struct vcpu *v, unsigned int offset)
  {
      struct vlapic *vlapic = vcpu_vlapic(v);
-    uint32_t val = vlapic_get_reg(vlapic, offset);
+    uint32_t val = vlapic_get_reg(vlapic, offset & ~0xf);
  
      if ( vlapic_x2apic_mode(vlapic) )
      {
@@ -1053,7 +1053,7 @@ int guest_wrmsr_x2apic(struct vcpu *v, u
          }
      }
  
-    vlapic_reg_write(v, offset, msr_content);
+    vlapic_reg_write(v, array_index_nospec(offset, PAGE_SIZE), msr_content);
  
      return X86EMUL_OKAY;
  }
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.