[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] x86/time: use fake read_tsc()


  • To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 1 Mar 2022 15:14:48 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=P4Wui87pS9Nc396SWhM/waAHPk+Jt68Fa+FaWuQHLg4=; b=Ff/BU23uoxlqx4p+t6xDmdR8WIyom7ssOHW3EBNVN9RvOX3/UjFmMjXACALBc8mzBsOWgrM081Dcb3n7kc4/lGZ/PPEuuiYsBvNw0jnHu/LQKOg5QapVhgQBsHfmn9diUSrBJDGzxcfhqz5Ew9WZGnBWITiBW9VWN5WhFnBoJXBHJbMjDS27BuRQvaKw4h08wiJmILYUmfqkZ22nEfYJS+PGwuUA/gF7TZh/iXGVO9CBvXXqND8/a91iAbslAaMfTPb9GgaIf46meRLPr8dr6nber3OJWVwsj7bzRgxqnEnlIptXOChFvtBnH5ftBAvEo5BdeB5GDoXgOIIFq6fEXw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j45khpdFn4pqgL/txI7zlEzW7ieekFMK7uP+Mps86VSAnZtiC2hXfmfX6p2qEzrUs0GMS8MyVG7L/xZ1b4x2VTxw5tTGav8F5JCvCZRG6CKEamFVrak/i1Z/MWkQonzXLU10LW1XmrbH87uI93C/XBY/wZWDxj87bPn2Z/9fpbGjJQrhCHkSBsOPQ4a3CxZKapjEMdv+BNBjw5W1Jdd3/ffJYf7e361f0jouuhcgHc7CBqol/TSWxIdfTo75mZwlLXXiCeXVYqh/c+lJGdKJIrEpRI1kIyNeL1TQ9JYLw7kbPX03QgihToPKCOBPAW3P+99SXueiRYEQnUzXdNPO5w==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 01 Mar 2022 14:15:02 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 01.03.2022 14:07, Andrew Cooper wrote:
> On 01/03/2022 11:05, Jan Beulich wrote:
>> Go a step further than bed9ae54df44 ("x86/time: switch platform timer
>> hooks to altcall") did and eliminate the "real" read_tsc() altogether:
>> It's not used except in pointer comparisons, and hence it looks overall
>> more safe to simply poison plt_tsc's read_counter hook.
>>
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>> ---
>> I wasn't really sure whether it would be better to use simply void * for
>> the type of the expression, resulting in an undesirable data -> function
>> pointer conversion, but making it impossible to mistakenly try and call
>> the (fake) function directly.
>>
>> --- a/xen/arch/x86/time.c
>> +++ b/xen/arch/x86/time.c
>> @@ -585,10 +585,12 @@ static s64 __init cf_check init_tsc(stru
>>      return ret;
>>  }
>>  
>> -static uint64_t __init cf_check read_tsc(void)
>> -{
>> -    return rdtsc_ordered();
>> -}
>> +/*
>> + * plt_tsc's read_counter hook is (and should not be) invoked via the struct
> 
> Either "is not (and should not be)" or "is (and should) not be".

Oh, of course.

>> + * field. To avoid carrying an unused, indirectly reachable function, poison
>> + * the field with an easily identifiable non-canonical pointer.
>> + */
>> +#define read_tsc ((uint64_t(*)(void))0x75C75C75C75C75C0ul)
> 
> How about using ZERO_BLOCK_PTR?  The hex constant 0xBAD0... is more
> easily recognisable, and any poisoned pointer will do.

Well, I specifically wanted to _not_ re-use any of the constants we
already use.

> That said... what's wrong a plain NULL?  I can't see any need for a
> magic constant here.

Are you fancying an XSA for a call through NULL in PV guest context?

> Overall, I think this patch should be merged with the subsequent one,
> because in isolation it is slightly dubious.  read_tsc() is one of the
> few functions which is of no interest to an attacker, architecturally
> (because it's just rdtsc) or speculatively (because it is dispatch
> serialising).

What code would appear to live at read_tsc()'s address at the time an
attacker can come into play is unknown, given it's __init.

> This change is only (AFAICT) to allow the use of cf_clobber later.

Not exactly. The subsequent patch specifically does not touch plt_tsc.
And if it did, it would have no effect with read_tsc() living in
.init.text.

Jan




 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.