[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/PV: address odd UB in I/O emulation


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Mon, 18 Oct 2021 11:56:47 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qUVuanLCYp2tf5S/pIWOPGQfpt/h7oPdd3wxBKvEsBY=; b=FUN08g16UwD+LHi4Zf2B23LHOcuJPb8hNT45UdWps1ianfdwa29FPFCCw/B0ToAbZ+97U4njIIurBodC8nVpCsJpHSP1kPrwiBXi8dtjna1g56mSO5PtQqHRbmTgIpWCaE7Lx217JtpJozSNK+vih+pCBLLOVw1C9JRwarmuOi6eUW2qL3WcQV2jJf6CihsC+2T2+xJDz1PEKHYyricfpbmGI8xwPwfxB8mYdYqqwgtrFo0cdF09uSDpR9BD4r04l9IWpwbcozPr4jHGkh+JrFTYJ9IPLcx8CiKZXhMbfa3JSBec7cxb/IKUk4HttX5kmVuEsl4JGC02P5zwlJq/PQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RJXYYPkjoP0H6xz8ECCxl6nCCMwrdSc4lVa8hQckTIFdETS87o9KHsYDBWxjV3jAccCvcRacZ4NR3qI99KhfC0yT3M9oGe1naxIFAOjtxfUnGokjV8ilP6GCLN/P7eYDSqZipcMVLvitVoOTq/T6q/8no8ODZgyc2uvy2SAgHHDrRNMZJfe0QWoLkRRLwFKM7EF8szyq0MPB6cu0Q3iXoJSZkyg35jKC2Mmu38OqNTcBWxhpc3YhjIZ6GE4E99oO3jHdZPHXDjd3yimQl/lalrPwkIs6NL0taQdYbKQasWSybGTOm1Wo117h6hZsjEEZ5qrozqit+2UzQnAT0P7okg==
  • Authentication-results: esa4.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Rroach <2284696125@xxxxxx>
  • Delivery-date: Mon, 18 Oct 2021 09:57:24 +0000
  • Ironport-data: A9a23:6BndV642AffdRgya3BaCrQxRtMzAchMFZxGqfqrLsTDasY5as4F+v mUaDz2PO6uOZWbwfNh1bYjlp0MA68LXmoIyHgVrrC5nHi5G8cbLO4+Ufxz6V8+wwmwvb67FA +E2MISowBUcFyeEzvuV3zyIQUBUjclkfJKlYAL/En03FVIMpBsJ00o5wrdh294w2LBVPivW0 T/Mi5yHULOa82Yc3lI8s8pvfzs24ZweEBtB1rAPTagjUG32zhH5P7pGTU2FFFPqQ5E8IwKPb 72rIIdVXI/u10xF5tuNyt4Xe6CRK1LYFVDmZnF+A8BOjvXez8CbP2lS2Pc0MC9qZzu1c99Zx /JN9pqoF18VYpLOnKM2U156KRwjFPgTkFPHCSDXXc27ykTHdz3nwul0DVFwNoodkgp1KTgQr 7pCcmlLN03dwbLtqF64YrAEasALNs7kMZlZonh95TrYEewnUdbIRKCiCdpwgWhr3pEXTK+2i 8wxaGQ/SimfXjx0HwlJNIAXnra3o0ijbGgNwL6SjfVuuDWCpOBr65DyNPLFd9rMQt9a9m7C/ DKaoTWnW0tHHMWGjzGC9xqEhOXCgCf6U4I6D6Cj+7hhh1j77nweDlgaWEW2pdG9i1WiQJRPJ koM4C0soKMuskuxQbHAswaQ+SDe+ERGApwJTrN8uFrlJrfoDxixCU8EDThZNoQa6PA0QXsB1 hirpe60LGk62FGKck61+rCRpDK0HCEaK24eeCMJJTc4D8nfTJIb1U2XEI4yeEKhppisQ2uom mHVxMQrr+xL1ZZj6kmtwbzQb9tATLDyRQkp+h6fYGuh6g5oDGJOT931sQaFhRqswYDwc7Vgg JTms5XGhAztJcvU/MBofAnrNOv4jxpiGGaE6WOD57F7q1yQF4eLJOi8Gg1WKkZzKdojcjT0e kLVsg45zMYNZyf2PPImOd7tUZVCIU3c+TLNDKG8gj1mOcAZSeN61Hs2OR74M57FwSDAbp3Ty b/EKJ3xXB72+IxszSasRvd17FPY7ntW+I8nfriil07P+ePHPBa9EO5ZWHPTPrFRxP7V+239r ocAX/ZmPj0CCYUSlAGMqtVNRb3LRFBmba3LRzt/LbLafVc6RTh8Upc8A9oJIuRYokicrc+Rl lmVUU5E0lvvw3rBLASBcHd4b73zG514qBoG0eYEYT5EAlAvPtSi6rkxbZwyceV1/eBv16csH fIEZ9+BErJETTGeo2YRapz0rYpDchW3hF3RY3r5MWZnJ5MwFRbU/tLEfxf08HVcBCSAqsZj8 aar0RnWQMRfSl06XtrWcv+m03i4oWMZxLBpR0LNL9QKIBfs/YFmJjbflPgyJ81QexzPyiHDj 1SdAAsCpPmLqIgwqYGbiaeBpoavMu1/AksFQDWLsefobXHXpzPxz5VBXeCEeSHmeFn1oKjyN /9Iy/zcMeEcmAoYuYRLDLs2n7k14MHipuEGw108TmnLdVmiFphpPmKCgZtUrqRIy7JU5Vm2V 0aI9oUIMLmFIpq4QlsYJQ5jZeWfz/AE3DLV6K1tckn94SZ2+puBUFlTYEbQ2HAMcuMtPdN32 /olte4X9xe720gjPduxhyxJ83iBcy4bWKI9u5BGWILmh2LHEL2ZjUAw3sMu3KyyVg==
  • Ironport-hdrordr: A9a23:U0pN7a/blHLCAkI20N1uk+FJdb1zdoMgy1knxilNoENuHfBwxv rDoB1E73LJYVYqOU3Jmbi7Sc69qFfnhORICO4qTMqftWjdyRCVxeRZg7cKrAeQeREWmtQtsJ uINpIOdOEYbmIK/PoSgjPIaurIqePvmMvD5Za8vgdQpENRGtldBm9Ce3im+yZNNW977PQCZf 6hDp0tnUveRZ1bVLX3OlA1G8z44/HbnpPvZhALQzYh9Qm1lDutrJr3CQKR0BsyWy5Ghe5Kyx mLryXJooGY992rwB7V0GHeq7xQhdva09NGQOiBkNIcJDnAghuhIK5hR7qBljYop/zH0idnrP D85zMbe+hj4XLYeW+45TPrxgnbyT4rr0TvzFeJ6EGT6fDRdXYfMY5slIhZehzW5w4Lp9dnyp 9G2Gqfqt5+EQ7AtD6V3amJazha0m6P5VYym+8aiHJSFaEEbqVKkIAZ9ERJVL8dASPB7pw9Gu UGNrCc2B9vSyLZU5nlhBgr/DT1NU5DWituA3Jy9PB96gIm30yQlCAjtYsidnRpzuN1d3AL3Z WDDkzE/Is+OvP+VpgNdtvpd/HHfFAlcSi8Q156Hm6XYZ3vG0i94KIfs49Frt1DRvQzvewPcd L6IQpliVI=
  • Ironport-sdr: QadjKeR8QctnvhYlTxOQ48Pt4S3gbcT32FHgAf3RQxU9ehK0y+OLiCC5bzXHySOSp9ufVmqskB SO0mTIKffEkt/igYuru5dqjv+ULzFJl/Vqtrb3PMy96Tb64BFXVbKOZMd434/Kziu1kVgeq4Pd peHK3iTdkpNj3mjhjCFYlN0XRV1rCKwcAxleQ+cmkpcYHCTK86liRrBxcekumAwLsMfk0Sob3L E2oYT5BHGO8Yxm8YTfaIgAaF2hRWy0G/VFp0u9UTIjb6mfpwSxPtiwVYfy1cMENyDFSxZm2zCd nd1mfOU+i9wS1QR47ndRaP8a
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Jul 08, 2021 at 09:21:26AM +0200, Jan Beulich wrote:
> Compilers are certainly right in detecting UB here, given that fully
> parenthesized (to express precedence) the original offending expression
> was (((stub_va + p) - ctxt->io_emul_stub) + 5), which in fact exhibits
> two overflows in pointer calculations. We really want to calculate
> (p - ctxt->io_emul_stub) first, which is guaranteed to not overflow.
> 
> The issue was observed with clang 9 on 4.13.
> 
> The oddities are
> - the issue was detected on APPEND_CALL(save_guest_gprs), despite the
>   earlier similar APPEND_CALL(load_guest_gprs),
> - merely casting the original offending expression to long was reported
>   to also help.
> 
> While at it also avoid converting guaranteed (with our current address
> space layout) negative values to unsigned long (which has implementation
> defined behavior): Have stub_va be of pointer type. And since it's on an
> immediately adjacent line, also constify this_stubs.
> 
> Fixes: d89e5e65f305 ("x86/ioemul: Rewrite stub generation to be shadow stack 
> compatible")
> Reported-by: Franklin Shen <2284696125@xxxxxx>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.