[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ping: [PATCH] x86/PV: address odd UB in I/O emulation

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 18 Oct 2021 10:17:04 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TT1Yg1Ui+3ajrltfvs1+MwffPu6AfveDBZrEEbldyUM=; b=cwC2RVbojiXzr/pmtvoWPBfzPBsrB92ewxK4lqnkCOoI813eIatTbnu6eYLGo/svLY99JYAU+GcBWtUKD4NfkAj4Ixj5ICbYxF2qHyleM/OEHgufLsKqjlv8+te0hqrfETFVldWFuwQt89hkNeUKGtN47+DjLOiQX15ngiKNLME2YpV9T4WpxdoDNvLcohiIvN4JQWBdpkDe2xFBEV5BejYY4NTWBN7InFXToPPLxJCUzvWb1/DO9xIzkDJ9gAUCVNoXNzB6IWv9VoSim5QpfyrXwtUpop7DAm4qrkOpWAxhTLibFzN9xLZEbr49vFDdeOVYvdLcckY9ZC8LAmTsfw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dZCFdm5O798SMAaU8F8someSy4WdcVhiFXiquR1n4WL2edhSwJvC6baenV8L3EyLL7mPZ4uZsXAQZl24Iq5ffwB7tGQTerjMgJJ2IuOhTMNfK6zO4ofvAwFhceiD17Pn5klPjKhxUdXxEV3aIFg6detyRKm3nRFuj1VmS0lsnp4Fr6rjNdtpa9chHnN6zy2+BPRsJpvJlpFlR7NP3Mvxd0eM9UUqLTwKsic4jgrDyjxqCWj5g94xVPID0ff6GEMZXRVORU3xBFREn9V3JyxcnXicR+imFzweyx15NGWIe0HNkM702/FG/D7fmLl4t7UoEPWpwwnwbDC9OKwqKqwgJg==
  • Authentication-results: lists.xenproject.org; dkim=none (message not signed) header.d=none;lists.xenproject.org; dmarc=none action=none header.from=suse.com;
  • Cc: Rroach <2284696125@xxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 18 Oct 2021 08:17:15 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 08.07.2021 09:21, Jan Beulich wrote:
> Compilers are certainly right in detecting UB here, given that fully
> parenthesized (to express precedence) the original offending expression
> was (((stub_va + p) - ctxt->io_emul_stub) + 5), which in fact exhibits
> two overflows in pointer calculations. We really want to calculate
> (p - ctxt->io_emul_stub) first, which is guaranteed to not overflow.
> 
> The issue was observed with clang 9 on 4.13.
> 
> The oddities are
> - the issue was detected on APPEND_CALL(save_guest_gprs), despite the
>   earlier similar APPEND_CALL(load_guest_gprs),
> - merely casting the original offending expression to long was reported
>   to also help.
> 
> While at it also avoid converting guaranteed (with our current address
> space layout) negative values to unsigned long (which has implementation
> defined behavior): Have stub_va be of pointer type. And since it's on an
> immediately adjacent line, also constify this_stubs.
> 
> Fixes: d89e5e65f305 ("x86/ioemul: Rewrite stub generation to be shadow stack 
> compatible")
> Reported-by: Franklin Shen <2284696125@xxxxxx>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> I'm not going to insist on the part avoiding implementation defined
> behavior here. If I am to drop that, it is less clear whether
> constifying this_stubs would then still be warranted.

While I did respond to all review comments by Andrew, this has not
lead to forward progress here.

Jan

> --- a/xen/arch/x86/pv/emul-priv-op.c
> +++ b/xen/arch/x86/pv/emul-priv-op.c
> @@ -89,8 +89,8 @@ static io_emul_stub_t *io_emul_stub_setu
>          0xc3,       /* ret       */
>      };
>  
> -    struct stubs *this_stubs = &this_cpu(stubs);
> -    unsigned long stub_va = this_stubs->addr + STUB_BUF_SIZE / 2;
> +    const struct stubs *this_stubs = &this_cpu(stubs);
> +    const void *stub_va = (void *)this_stubs->addr + STUB_BUF_SIZE / 2;
>      unsigned int quirk_bytes = 0;
>      char *p;
>  
> @@ -98,7 +98,7 @@ static io_emul_stub_t *io_emul_stub_setu
>  #define APPEND_BUFF(b) ({ memcpy(p, b, sizeof(b)); p += sizeof(b); })
>  #define APPEND_CALL(f)                                                  \
>      ({                                                                  \
> -        long disp = (long)(f) - (stub_va + p - ctxt->io_emul_stub + 5); \
> +        long disp = (void *)(f) - (stub_va + (p - ctxt->io_emul_stub) + 5); \
>          BUG_ON((int32_t)disp != disp);                                  \
>          *p++ = 0xe8;                                                    \
>          *(int32_t *)p = disp; p += 4;                                   \
> @@ -106,7 +106,7 @@ static io_emul_stub_t *io_emul_stub_setu
>  
>      if ( !ctxt->io_emul_stub )
>          ctxt->io_emul_stub =
> -            map_domain_page(_mfn(this_stubs->mfn)) + (stub_va & ~PAGE_MASK);
> +            map_domain_page(_mfn(this_stubs->mfn)) + PAGE_OFFSET(stub_va);
>  
>      p = ctxt->io_emul_stub;
>  
> @@ -141,7 +141,7 @@ static io_emul_stub_t *io_emul_stub_setu
>      block_speculation(); /* SCSB */
>  
>      /* Handy function-typed pointer to the stub. */
> -    return (void *)stub_va;
> +    return stub_va;
>  
>  #undef APPEND_CALL
>  #undef APPEND_BUFF
> 
>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.