Xen project Mailing List

Re: [PATCH for-4.16 v2] efi: fix alignment of function parameters in compat mode

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 18 Nov 2021 11:48:34 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TZft+WfS+KYGog5BueoSOrodyo8FpxreEnFSpcDLhkw=; b=Kj2BH8bCJp2bXWbPFggUlnLwxTfL7kBcRnMC21dZHZ/M9K3q+VLvSSlgNEauSm14MU9mWvYsTKqHMpt+LZGR3zRQDPt6Jm/3nvs76Uwg29DE8zPw/4yAC9ffCN/ihoaHuNo/xqOSOH/tylRe+QZ7k1vxpD5mnUMqm9W7nCHiAW/j3yjY6/xhauzarCfRVCqPX/OWRjPVaI8r+QmvV2OnQhXO+NoDjzQVcWYArhTvRDL3BOpuvpIWKx8eQrbx4bxsbYTUjN5ImKkI8Z7GmoigBpKPJdloxUV/V9gqigHC23ObA+B3Y1VYZuqMWVl3DkvBh2z46V8gjcz/2L1MfbwkBA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nCTarAecHm6R4ygkQbx6xiPM1+zf3/l+PlAgV6qSdj2janJxDan3kGgGb7g1kCCwb3F9t9GSRlMl9KxJM619q4XzZXvMxClqGSJv0RtMpqa6Yhq5lLdq8kC/kRIU0tGwTxPzGG+kPYh+jP5TIW+pNCOMP26QYhcBNlrlXedD7HOrtWua/pGdeJOPVvFMVbYtYe4BuDpRolwu/wllTj1rmO2LnnjDbiL9jGCbeH17WdANb/PkVvuXRVzIfHMgSzUYCdpjcfJwU5gxTlaH53BXh2N5Dhmo4J3D/j97TSBRhK/QMrGHqOCvHADKenjCa0t3ceSMmCn9QDjPTKYxsiGRng==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Ian Jackson <iwj@xxxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Thu, 18 Nov 2021 10:48:43 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 18.11.2021 11:20, Roger Pau Monné wrote: > On Thu, Nov 18, 2021 at 10:46:32AM +0100, Jan Beulich wrote: >> On 18.11.2021 09:28, Roger Pau Monne wrote: >>> Currently the max_store_size, remain_store_size and max_size in >>> compat_pf_efi_runtime_call are 4 byte aligned, which makes clang >>> 13.0.0 complain with: >>> >>> In file included from compat.c:30: >>> ./runtime.c:646:13: error: passing 4-byte aligned argument to 8-byte >>> aligned parameter 2 of 'QueryVariableInfo' may result in an unaligned >>> pointer access [-Werror,-Walign-mismatch] >>> &op->u.query_variable_info.max_store_size, >>> ^ >>> ./runtime.c:647:13: error: passing 4-byte aligned argument to 8-byte >>> aligned parameter 3 of 'QueryVariableInfo' may result in an unaligned >>> pointer access [-Werror,-Walign-mismatch] >>> &op->u.query_variable_info.remain_store_size, >>> ^ >>> ./runtime.c:648:13: error: passing 4-byte aligned argument to 8-byte >>> aligned parameter 4 of 'QueryVariableInfo' may result in an unaligned >>> pointer access [-Werror,-Walign-mismatch] >>> &op->u.query_variable_info.max_size); >>> ^ >>> Fix this by bouncing the variables on the stack in order for them to >>> be 8 byte aligned. >>> >>> Note this could be done in a more selective manner to only apply to >>> compat code calls, but given the overhead of making an EFI call doing >>> an extra copy of 3 variables doesn't seem to warrant the special >>> casing. >>> >>> Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> >>> Release-Acked-by: Ian Jackson <iwj@xxxxxxxxxxxxxx> >> >> The code change looks correct to me, so it could have my R-b, but I'd >> like to ask for some clarification first. >> >>> --- a/xen/common/efi/runtime.c >>> +++ b/xen/common/efi/runtime.c >>> @@ -607,6 +607,9 @@ int efi_runtime_call(struct xenpf_efi_runtime_call *op) >>> break; >>> >>> case XEN_EFI_query_variable_info: >>> + { >>> + uint64_t max_store_size, remain_store_size, max_size; >>> + >>> if ( op->misc & ~XEN_EFI_VARINFO_BOOT_SNAPSHOT ) >>> return -EINVAL; >>> >>> @@ -638,16 +641,34 @@ int efi_runtime_call(struct xenpf_efi_runtime_call >>> *op) >>> >>> if ( !efi_enabled(EFI_RS) || (efi_rs->Hdr.Revision >> 16) < 2 ) >>> return -EOPNOTSUPP; >>> + >>> + /* >>> + * Bounce the variables onto the stack to make them 8 byte aligned >>> when >>> + * called from the compat handler, as their placement in >>> + * compat_pf_efi_runtime_call will make them 4 byte aligned >>> instead and >>> + * clang will complain. >> >> I expect future gcc would also complain; I'm actually surprised it >> doesn't already, as I recall work in that direction was done for one >> of the more recent releases. Hence while I'm fine with referring to >> clang specifically in the description, I'd prefer the comment here >> to be more generic. E.g. "... and compilers may validly complain." > > Sure. > >>> + * Note we do this regardless of whether called from the compat >>> handler >>> + * or not, as it's not worth the extra logic to differentiate. >>> + */ >>> + max_store_size = op->u.query_variable_info.max_store_size; >>> + remain_store_size = op->u.query_variable_info.remain_store_size; >>> + max_size = op->u.query_variable_info.max_size; >> >> All three are OUT only as per the EFI spec. I'm not going to insist >> on dropping these assignments, but their presence wants justifying >> in the comment if you want to retain them. E.g. "While the function >> parameters are OUT only, copy the values here anyway just in case." >> Obviously if the assignments here were dropped, the local variables >> would need to gain initializers to avoid leaking hypervisor stack >> data. > > I think it's important to do the copy in order to prevent changes in > behavior. Even if explicitly listed as OUT I won't be surprised if > there where quirks that passed something in. > > What about replacing the last paragraph with: > > "Note that while the function parameters are OUT only, copy the values > here anyway just in case. This is done regardless of whether called > from the compat handler or not, as it's not worth the extra logic to > differentiate." Fine with me, thanks. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.