[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/PV: address odd UB in I/O emulation


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 8 Jul 2021 14:53:24 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=91Vc3yL3Dj95o8w0qk28ld+UBjCT9m9oRccVquHOXtI=; b=Bujyn0LC+xIOegKRJRLUcbqSFVG2xG896eEc+quI6fGIT07F8zYrDn2wEgTkPIDN5qOSClvzcZqupgL0hM2HnPfeNRBiEUMiZOuxGC+a6SGHfWTyDub/uFf/6HobsCpk7qozzgGyEiEIP6WZNFtJvVPsFnPz9j4MsNQskoEG4XRU3JAE4cwMXAeCSuGKjMm9gXeqhaxNGfp7Z4lja4Rkvk4a8u/tS6ArTfyiWUZYmYrn/IjC3BECwhohyxQD1/OB9zmNF5tQ375Cv5J+ZAqZzHpJkUoJlZw+IKk2+tDOxd+D7HYdERCKoZHf8Esvx41coktgPUJgHpjLgW6wbnCV/Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AoOCVQgyF9kz9DOStTsaf9lpBBBjGkX3gv0JA+YcIJP1g0j6yaf01t0kFxr6caJwYVSfo/gJ9+VAIeTNZG2LmVmI5GqQ/amwKibJfFCNbUPv/fpv9kx7qK2gH//GithEHtlONU9MEt1OCTUg1lulmjSrsXODfP/rlCPCDZ4hw77vCEBg5uHAujKfDVxDu6BGv/pOQniphzb1vJk+UoXxtHkXxD9Gx1/1FritqhgDDjBJHHkAs7zwAfupweN8s0dMruIfnpohO5o4HS4xhxq9Q5b+pMCkJPCap/CUFiHV8LVGG0JsudPf/0MtoruIRw6rxGLWh4hOCVOpF+A0c0wu2A==
  • Authentication-results: lists.xenproject.org; dkim=none (message not signed) header.d=none;lists.xenproject.org; dmarc=none action=none header.from=suse.com;
  • Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Franklin Shen <2284696125@xxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 08 Jul 2021 12:53:33 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 08.07.2021 13:15, Andrew Cooper wrote:
> On 08/07/2021 08:21, Jan Beulich wrote:
>> Compilers are certainly right in detecting UB here, given that fully
>> parenthesized (to express precedence) the original offending expression
>> was (((stub_va + p) - ctxt->io_emul_stub) + 5), which in fact exhibits
>> two overflows in pointer calculations. We really want to calculate
>> (p - ctxt->io_emul_stub) first, which is guaranteed to not overflow.
> 
> I agree that avoiding this overflow is an improvement, but as I said in
> my original analysis, (f) - (expr) also underflows and results in a
> negative displacement.

And how is a negative displacement a problem? ptrdiff_t is explicitly
a signed type. The language (I'm inclined to say "of course") allows
for pointer subtraction in both directions, i.e. one isn't required
to know which one of the operands is pointing to the lower address.

> This is specifically why I did the cast the other way around, so we're
> subtracting integers not pointers.

Iirc what you did was to cast the result of the pointer arithmetic.
The fact that this has silenced the reporting of UB was suspicious
in the first place, as I did also point out ...

> It appears that we don't use -fwrapv so in any case, the only way of
> doing this without UB is to use unsigned long's everywhere.
> 
>> The issue was observed with clang 9 on 4.13.
>>
>> The oddities are
>> - the issue was detected on APPEND_CALL(save_guest_gprs), despite the
>>   earlier similar APPEND_CALL(load_guest_gprs),
>> - merely casting the original offending expression to long was reported
>>   to also help.

... here.

> Further to the above, that was also so didn't have an expression of
> (ptr) - (unsigned long).

We didn't have such an expression - the left side (the function
pointer) is already being cast to long.

>> While at it also avoid converting guaranteed (with our current address
>> space layout) negative values to unsigned long (which has implementation
>> defined behavior):
> 
> ?  Converting between signed and unsigned representations has explicitly
> well defined behaviour.

Converting _from_ signed _to_ unsigned does, but the other way around
in only has if the value is representable (i.e. doesn't end up negative).

>>  Have stub_va be of pointer type. And since it's on an
>> immediately adjacent line, also constify this_stubs.
>>
>> Fixes: d89e5e65f305 ("x86/ioemul: Rewrite stub generation to be shadow stack 
>> compatible")
>> Reported-by: Franklin Shen <2284696125@xxxxxx>
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>> ---
>> I'm not going to insist on the part avoiding implementation defined
>> behavior here. If I am to drop that, it is less clear whether
>> constifying this_stubs would then still be warranted.
> 
> You're implicitly casting away const now at the return, which is
> something you object to in other peoples patches.

There's no concept of "const" when the pointed to type is a function
type. Or else the compiler would legitimately complain about the
loss of const.

>> --- a/xen/arch/x86/pv/emul-priv-op.c
>> +++ b/xen/arch/x86/pv/emul-priv-op.c
>> @@ -89,8 +89,8 @@ static io_emul_stub_t *io_emul_stub_setu
>>          0xc3,       /* ret       */
>>      };
>>  
>> -    struct stubs *this_stubs = &this_cpu(stubs);
>> -    unsigned long stub_va = this_stubs->addr + STUB_BUF_SIZE / 2;
>> +    const struct stubs *this_stubs = &this_cpu(stubs);
>> +    const void *stub_va = (void *)this_stubs->addr + STUB_BUF_SIZE / 2;
>>      unsigned int quirk_bytes = 0;
>>      char *p;
>>  
>> @@ -98,7 +98,7 @@ static io_emul_stub_t *io_emul_stub_setu
>>  #define APPEND_BUFF(b) ({ memcpy(p, b, sizeof(b)); p += sizeof(b); })
>>  #define APPEND_CALL(f)                                                  \
>>      ({                                                                  \
>> -        long disp = (long)(f) - (stub_va + p - ctxt->io_emul_stub + 5); \
>> +        long disp = (void *)(f) - (stub_va + (p - ctxt->io_emul_stub) + 5); 
>> \
> 
> The only version of this which is UB-free is
> 
> long disp = (unsigned long)(f) - (stub_va + (p - ctxt->io_emul_stub) + 5);

As per above I don't see why you claim this is the only UB-free form;
for now I don't see any UB in the form I've used. Plus your variant
again utilizes unsigned -> signed conversion, which I've explained I'd
prefer to avoid (but would be willing to give up on, as that's only a
secondary goal here, and we surely have very many cases of such
throughout the code base).

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.