[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH V4 1/4] x86/mm: Add array_index_nospec to guest provided index values

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Alexandru Stefan ISAILA <aisaila@xxxxxxxxxxxxxxx>
  • Date: Wed, 18 Dec 2019 10:26:55 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IcZdUf6PvZUS1rDCzAgPi14N+tHtihC2vJOjwKqrW6M=; b=BHN8+z05ZPGpscBOkl2mTJrGiQu/CUm1RjgzLImIYVWpMd1EOW81Q3clazW3qFLpSXcZUv8tUAH7fWDebP2+QLIkkPCU5EkaeuGqnVuKbbHlz4zgLZrotQi2LltBCC5fVyqiMKyB5HOzyLaE3YrPitIoJTyd9kM8ve1d3ILeZgr2GYYQoA6xvKZijAKVkTh0grtcJ4ZuoT516X6uX+7iJBlfbvYmjqqB08mWKmtmINLjwyiF5Wwi9xvavahz7VWEPaA8Ms4iTp5yJu11/S5LkrlYk1jHvDJZbG0hkJkxW8ibhzluIY09TVT4tVKMgkrUirZoQmKhvMTEcE9J1346sw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BDXs5HVDo3CDQ1HZiQtiJ7ZybgMotjrSPPKGb7d5M2KUEFQlzCOc1pTqkO0KTsaZyiwBSGqt9EK8fOuqFbVNlmfIu9Chj1ex+tWJaiqD4TXsnUlatG+YRyln1hWUuhzTlRhJwXFg3Tp05ehERPuuSlL9/9RuY9F56R4Cp3ZsPid07wZk9ojqQOJb1TdTEgJZXXHmPS4bXHxoDs65+gI4mw5JNPZ6A7OVwz/Zwn0rHnfKqdk8DmASDeUZkzXKmFrpTSXf+ZvY9yJ3ySa4l2XNTNWOeYUkqiOprP84ZXKOJNP3EWiD9WZBkoevBXn59h3UIcHBnT+0/GAiFGTvBApKIA==
  • Authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@xxxxxxxxxxxxxxx;
  • Cc: Petre Ovidiu PIRCALABU <ppircalabu@xxxxxxxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Razvan COJOCARU <rcojocaru@xxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Wed, 18 Dec 2019 10:27:06 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHVtYrbSmopSnkCGEy51VygQoGWEqe/sD6A
  • Thread-topic: [PATCH V4 1/4] x86/mm: Add array_index_nospec to guest provided index values

On 18.12.2019 12:06, Jan Beulich wrote:
> On 18.12.2019 10:57, Alexandru Stefan ISAILA wrote:
>> On 18.12.2019 10:06, Alexandru Stefan ISAILA wrote:
>>> On 17.12.2019 18:50, Jan Beulich wrote:
>>>> On 17.12.2019 16:12, Alexandru Stefan ISAILA wrote:
>>>>> --- a/xen/arch/x86/mm/p2m-ept.c
>>>>> +++ b/xen/arch/x86/mm/p2m-ept.c
>>>>> @@ -1353,7 +1353,8 @@ void setup_ept_dump(void)
>>>>>     
>>>>>     void p2m_init_altp2m_ept(struct domain *d, unsigned int i)
>>>>>     {
>>>>> -    struct p2m_domain *p2m = d->arch.altp2m_p2m[i];
>>>>> +    struct p2m_domain *p2m =
>>>>> +           d->arch.altp2m_p2m[array_index_nospec(i, MAX_ALTP2M)];
>>>>>         struct p2m_domain *hostp2m = p2m_get_hostp2m(d);
>>>>>         struct ept_data *ept;
>>>>>     
>>>>> @@ -1366,7 +1367,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned 
>>>>> int i)
>>>>>         p2m->max_mapped_pfn = p2m->max_remapped_gfn = 0;
>>>>>         ept = &p2m->ept;
>>>>>         ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m));
>>>>> -    d->arch.altp2m_eptp[i] = ept->eptp;
>>>>> +    d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp;
>>>>>     }
>>>>>     
>>>>>     unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp)
>>>>> --- a/xen/arch/x86/mm/p2m.c
>>>>> +++ b/xen/arch/x86/mm/p2m.c
>>>>> @@ -2499,7 +2499,7 @@ static void p2m_reset_altp2m(struct domain *d, 
>>>>> unsigned int idx,
>>>>>         struct p2m_domain *p2m;
>>>>>     
>>>>>         ASSERT(idx < MAX_ALTP2M);
>>>>> -    p2m = d->arch.altp2m_p2m[idx];
>>>>> +    p2m = d->arch.altp2m_p2m[array_index_nospec(idx, MAX_ALTP2M)];
>>>>>     
>>>>>         p2m_lock(p2m);
>>>>>     
>>>>> @@ -2540,7 +2540,7 @@ static int p2m_activate_altp2m(struct domain *d, 
>>>>> unsigned int idx)
>>>>>     
>>>>>         ASSERT(idx < MAX_ALTP2M);
>>>>>     
>>>>> -    p2m = d->arch.altp2m_p2m[idx];
>>>>> +    p2m = d->arch.altp2m_p2m[array_index_nospec(idx, MAX_ALTP2M)];
>>>>
>>>> All of the above have a more or less significant disconnect between
>>>> the bounds check and the use as array index. I think it would be
>>>> quite helpful if these could live close to one another, so one can
>>>> (see further up) easily prove that both specified bounds actually
>>>> match up.
>>>>
>>>
>>> Sure, I can move the array use closer together.
>>>
>>
>> Sorry to come back on this but I was looking in the code and I am not
>> sure I follow where is the disconnect. If you are talking about
>> p2m_init_altp2m_ept() the eptp code will move up in patch 3/4.
> 
> My remark was about all four hunks left in context (and then still
> possibly extending to other ones). Let's take the last one above:
> p2m_activate_altp2m() has two callers, one of which loops over
> altp2m-s (and hence doesn't need the guard). The other one is
> p2m_init_altp2m_by_id() which does the range check I'm talking
> about (ASSERT() doesn't count), and which therefore is the place
> to use array_index_nospec(). Once you look there you'll notice
> that the function also has an array access itself which you've
> left untouched.
> 

So add a "idx = array_index_nospec(idx, MAX_ALTP2M)" in the callers 
where there is a need for this and drop checks in the lower functions.


Alex
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.