[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 9/9] x86/shadow: harden shadow_size()

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Tue, 17 Jan 2023 19:13:27 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5hggP8gB8E6F2vLgwEBeqHK894LH8iRqTLFBk5fBDXI=; b=d05Dt4A0HhYj5uDfM3mziipqfeqZT5gDCPciXIdQ76Q6l+lU41d/xfI5weObIFqkuXZ66WpqAK3C4qFOJOw9Tmg/Fk3MMWu75bcixpNNxgiVu4eVjLD6Hhag1pOvAG0AcnQL9nDCbPxjmVVd2CnZF4mbyayd+2S1euWdV9td1E0KcsCFqUvoi04z+WriSUQeIBGFXijbDqrfgxeYDzE8oxEvQ4wu8rHX9A9KPVEB7tOnxriMFlrT46mjScl56NgljVgXKA0Y5PRs9QcSub3MHpKMxnMZpqRUrzwEvGPEKpvM0EsxpvRPT1dJwpYTexFUExAzLFsqh4Ruzvpr90QJ+A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VNpK3qAv2yQ9sZ7w8VMQtGAL6J2czKMTwWmIzuH3+JHeFqmU1fO3926VGlo7RlSVxBoBlIgF5e8t+mQGzKoSu9lrMPEMf/F+3uasuvg/asQAD9woqh4azRwdwfa4aNxr2MLWHmOJUknSVJvrzYr+yUmLz9EK5fMP2awB74ZcYvUpybhl+Fka2Z4seWlf7CDIwT2cSN/SH/lkBGrvphpueK+JG5sh+PPppA2CqOfEO77dPKkikZdRIN7Cbt5Aann/5sjSn3qcHMOIOD1iEAcLCH6Yz1ekByz6JVrelqrUOp5hRKrIlygPRHYHwriKhqWMDEfKY7HWuIt8ixkMJoIzLQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, "Tim (Xen.org)" <tim@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 17 Jan 2023 19:13:49 +0000
  • Ironport-data: A9a23:p3FgR68Ysznzu7c7NwAFDrUDsX+TJUtcMsCJ2f8bNWPcYEJGY0x3x mseCj+Obv/YYTPwLYglPNy09hxQusSGmNBhTgM9pHs8E34SpcT7XtnIdU2Y0wF+jCHgZBk+s 5hBMImowOQcFCK0SsKFa+C5xZVE/fjUAOG6UKucYHsZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqojUNUTNNwRcawr40Ire7kIw1BjOkGlA5AdmPKkU5AW2e0Q9V/rzG4ngdxMUfaEMdgKKb 76r5K20+Grf4yAsBruN+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+v9T2M4nQVVWk120c+VZk 72hg3ASpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn9IBDJyCAWlvVbD09NqbDklR5 N0TLjUcZyqEqN204rSjcc49pp0seZyD0IM34hmMzBn/JNN/GdXpZfqP4tVVmjAtmspJAPDSI dIDbiZiZwjBZBsJPUoLDJU5n6GjgXyXnz9w8QrJ4/ZopTeLilUpiNABM/KMEjCObexTklyVu STt+GPhDwtBHNee1SCE4jSngeqncSbTCdhPTOfgrq4CbFu7gWkNKD40eWuBs+S9gBK7RON8K 3M/0397xUQ13AnxJjXnZDW6qnOZuh8XW/JLDvY3rgqKz8L8/AKxFmUCCDlbZ7QOqM4zbSwn0 BmOhdyBLSxitviZRGyQ8p+QrCiuIm4FIGkafygGQAAZpd75r+kOYgnnS99iFOu/iILzEDSpm zSS9nFm3/MUkNIB0Li98RbfmTWwq5PVTwkzoALKQmai6QA/b4mgD2C11WXmAT97BN7xZjG8U LIsx6ByMMhm4UmxqRGw
  • Ironport-hdrordr: A9a23:4QS1UalomQ14wKYY+AwSMBcl2I/pDfIR3DAbv31ZSRFFG/GwvM ql9c5rsiMc7wx8ZJhAo7+90cy7Kk80mqQa3WB8B9aftWvdyQiVxfBZjbcKqgeIc0eSygc379 YDT0ERMqyVMXFKyer8/QmkA5IB7bC8gcaVbD7lvhJQcT0=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHZJcS6xQlTtpJxX0O79yAhgOZJ+66Z2cOAgACwbwCAAAw+gIAAA0qAgAhqSQA=
  • Thread-topic: [PATCH v2 9/9] x86/shadow: harden shadow_size()
On 12/01/2023 10:42 am, Jan Beulich wrote:
> On 12.01.2023 11:31, Andrew Cooper wrote:
>> On 12/01/2023 9:47 am, Jan Beulich wrote:
>>> On 12.01.2023 00:15, Andrew Cooper wrote:
>>>> On 11/01/2023 1:57 pm, Jan Beulich wrote:
>>>>> Make HVM=y release build behavior prone against array overrun, by
>>>>> (ab)using array_access_nospec(). This is in particular to guard against
>>>>> e.g. SH_type_unused making it here unintentionally.
>>>>>
>>>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>>> ---
>>>>> v2: New.
>>>>>
>>>>> --- a/xen/arch/x86/mm/shadow/private.h
>>>>> +++ b/xen/arch/x86/mm/shadow/private.h
>>>>> @@ -27,6 +27,7 @@
>>>>>  // been included...
>>>>>  #include <asm/page.h>
>>>>>  #include <xen/domain_page.h>
>>>>> +#include <xen/nospec.h>
>>>>>  #include <asm/x86_emulate.h>
>>>>>  #include <asm/hvm/support.h>
>>>>>  #include <asm/atomic.h>
>>>>> @@ -368,7 +369,7 @@ shadow_size(unsigned int shadow_type)
>>>>>  {
>>>>>  #ifdef CONFIG_HVM
>>>>>      ASSERT(shadow_type < ARRAY_SIZE(sh_type_to_size));
>>>>> -    return sh_type_to_size[shadow_type];
>>>>> +    return array_access_nospec(sh_type_to_size, shadow_type);
>>>> I don't think this is warranted.
>>>>
>>>> First, if the commit message were accurate, then it's a problem for all
>>>> arrays of size SH_type_unused, yet you've only adjusted a single instance.
>>> Because I think the risk is higher here than for other arrays. In
>>> other cases we have suitable build-time checks (HASH_CALLBACKS_CHECK()
>>> in particular) which would trip upon inappropriate use of one of the
>>> types which are aliased to SH_type_unused when !HVM.
>>>
>>>> Secondly, if it were reliably 16 then we could do the basically-free
>>>> "type &= 15;" modification.  (It appears my change to do this
>>>> automatically hasn't been taken yet.), but we'll end up with lfence
>>>> variation here.
>>> How could anything be "reliably 16"? Such enums can change at any time:
>>> They did when making HVM types conditional, and they will again when
>>> adding types needed for 5-level paging.
>>>
>>>> But the value isn't attacker controlled.  shadow_type always comes from
>>>> Xen's metadata about the guest, not the guest itself.  So I don't see
>>>> how this can conceivably be a speculative issue even in principle.
>>> I didn't say anything about there being a speculative issue here. It
>>> is for this very reason that I wrote "(ab)using".
>> Then it is entirely wrong to be using a nospec accessor.
>>
>> Speculation problems are subtle enough, without false uses of the safety
>> helpers.
>>
>> If you want to "harden" against runtime architectural errors, you want
>> to up the ASSERT() to a BUG(), which will execute faster than sticking
>> an hiding an lfence in here, and not hide what is obviously a major
>> malfunction in the shadow pagetable logic.
> I should have commented on this earlier already: What lfence are you
> talking about?

The one I thought was hiding under array_access_nospec(), but I forgot
we'd done the sbb trick.

> As to BUG() - the goal here specifically is to avoid a
> crash in release builds, by forcing the function to return zero (via
> having it use array slot zero for out of range indexes).

I'm very uneasy about having something this deep inside a component,
which ASSERT()s correctness doing something custom like this "just to
avoid crashing".

There is either something important which makes this more likely than
most to go wrong at runtime, or there is not.  And honestly, I can't see
why it is more risky at runtime.

If we really do need to clamp it, then we need a brand new helper with a
name that doesn't reference speculation at all.  It's fine for *_nospec
to reuse this helper, stating the safety of doing so, but at a code
level there need to be two appropriately named helpers for their two
logically-unrelated purposes.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.