[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 9/9] x86/shadow: harden shadow_size()

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Fri, 20 Jan 2023 17:36:02 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oqEnxtvyof8znt0qn7lvlru2ub9fDToLj+p44VLQhUY=; b=TMFnNcx9SG/SP33U9azhaERHHLPShaTH1ytatSmXweLGXcPgsp3R1DfcyjsB1WebldSVaA0/fuB1px/s+99PD+fgA10opwdEnTCS6ybjjlqs+hf29b9YhAjqFmHhmgdiJxXuB+6/SjFgvJ1zdc1vOzsH6NnMa8m8qSYx8/mRtg6MtF+u0MxJk+CCtarAw3xOVmvoiICt5sy97LUoRlMTepuiIBI3S9sfh3zm6Sn+vd2PlD/C+JyEgucc29IH4Gp1w+1wWTjPvQfFe5gi79vYciYVXo0+6r35IwTDVyhsEdU6BlZ0WZAu+XVPJmOD6VhoLoQlO5j4+uKqgFmIvjHMXw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JdKWkmoyho6462BUo8Mre7WMMj5VUDB2zZp5iMvjk45WIm1fVP87eRfUhVk/tnIIPT7fjX1ygLwxvM5+mYERqrAkkf0nEBi2PmUi8raQzboChLiz4XIjFYtHXOWnUQD7qJovzBdj6MgjO/I1m7z+oRkOCN99XmGHkQOnDYj0JqtCwPlauV9R1b9wIECcHbAezLJiYfOFBfotAkr6PQKImb/WqdsAPJsuuF09n6I/Vk8zIs1CmAHDg4JDzWHG3F0o4Z015eACdY+Z5FPKLzi6SFh5mGTl95HUsZ0Ef7V1RRPHQfiwxIrtQGFTDH3W/k6QR6BL/0Ia2VJqvXA8CeiISw==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, "Tim (Xen.org)" <tim@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Fri, 20 Jan 2023 17:36:34 +0000
  • Ironport-data: A9a23:lINmbaobMRhZo21qzmbAOEoHgTBeBmIuZBIvgKrLsJaIsI4StFCzt garIBnUaPiCYjanfd8kOtm0pk9Xv8eEzdNkQANp/Cs8QSIVp5uZCYyVIHmrMnLJJKUvbq7FA +Y2MYCccZ9uHhcwgj/3b9ANeFEljfngqoLUUbKCYWYpAFc+E0/NsDo788YhmIlknNOlNA2Ev NL2sqX3NUSsnjV5KQr40YrawP9UlKm06WxwUmAWP6gR5weHzSFNVvrzGInqR5fGatgMdgKFb 76rIIGRpgvx4xorA9W5pbf3GmVirmn6ZFXmZtJ+AsBOszAazsAA+v9T2Mk0MC+7vw6hjdFpo OihgLTrIesf0g8gr8xGO/VQO3kW0aSrY9YrK1Dn2SCY5xWun3cBX5yCpaz5VGEV0r8fPI1Ay RAXAHc/dQ2vtsCS+674QLBsqcgFFc3UPKpK7xmMzRmBZRonabbqZvyQoPpnhnI3jM0IGuvCb c0EbzYpdA7HfxBEJlYQDtQ5gfusgX78NTZfrTp5p4JuuzSVkFM3juarbIq9lt+iHK25mm6xo G7c8nu/KRYdLNGFkhKO8262h/+JliT+MG4XPOzmrqYz3QfIroAVICYnCHm2i/W2sFCVdehgA hVX5Bg0hqdnoSRHSfG4BXVUukWsvBQRRt5RGO0S8xyWx+zf5APxLncAZi5MbpohrsBebSAr0 3eZktWvAiZg2JWFRHTY+rqKoDeaPSkOMXREdSICVREC4dTovMc0lB2nczp4OKu8j9mwHC6qx TmP9XI6n+9L0Z5N0Lin91fahT7qvoLOUgM++gTQWCSi8x99Y4mmIYev7DA38Mp9EWpQdXHZ1 FBspiRUxLlm4U2l/MBVfNgwIQ==
  • Ironport-hdrordr: A9a23:RTxWg6un/VAqCpkJ9aLAMK2y7skDc9V00zEX/kB9WHVpm62j5q aTdZEgviMc5wxhPE3I9erhBEDiewK6yXcW2+Qs1N6ZNWGNhILPFvAA0WKI+UyEJ8SRzJ8+6U 5WScRD4QzLbGST3K7BjjVRTb4br+W6zA==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHZJcS6xQlTtpJxX0O79yAhgOZJ+66Z2cOAgACwbwCAAAw+gIAAA0qAgAhqSQCAAT6YAIADXTAA
  • Thread-topic: [PATCH v2 9/9] x86/shadow: harden shadow_size()
On 18/01/2023 2:13 pm, Jan Beulich wrote:
> On 17.01.2023 20:13, Andrew Cooper wrote:
>> On 12/01/2023 10:42 am, Jan Beulich wrote:
>>> On 12.01.2023 11:31, Andrew Cooper wrote:
>>>> On 12/01/2023 9:47 am, Jan Beulich wrote:
>>>>> On 12.01.2023 00:15, Andrew Cooper wrote:
>>>>>> On 11/01/2023 1:57 pm, Jan Beulich wrote:
>>>>>>> Make HVM=y release build behavior prone against array overrun, by
>>>>>>> (ab)using array_access_nospec(). This is in particular to guard against
>>>>>>> e.g. SH_type_unused making it here unintentionally.
>>>>>>>
>>>>>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>>>>> ---
>>>>>>> v2: New.
>>>>>>>
>>>>>>> --- a/xen/arch/x86/mm/shadow/private.h
>>>>>>> +++ b/xen/arch/x86/mm/shadow/private.h
>>>>>>> @@ -27,6 +27,7 @@
>>>>>>>  // been included...
>>>>>>>  #include <asm/page.h>
>>>>>>>  #include <xen/domain_page.h>
>>>>>>> +#include <xen/nospec.h>
>>>>>>>  #include <asm/x86_emulate.h>
>>>>>>>  #include <asm/hvm/support.h>
>>>>>>>  #include <asm/atomic.h>
>>>>>>> @@ -368,7 +369,7 @@ shadow_size(unsigned int shadow_type)
>>>>>>>  {
>>>>>>>  #ifdef CONFIG_HVM
>>>>>>>      ASSERT(shadow_type < ARRAY_SIZE(sh_type_to_size));
>>>>>>> -    return sh_type_to_size[shadow_type];
>>>>>>> +    return array_access_nospec(sh_type_to_size, shadow_type);
>>>>>> I don't think this is warranted.
>>>>>>
>>>>>> First, if the commit message were accurate, then it's a problem for all
>>>>>> arrays of size SH_type_unused, yet you've only adjusted a single 
>>>>>> instance.
>>>>> Because I think the risk is higher here than for other arrays. In
>>>>> other cases we have suitable build-time checks (HASH_CALLBACKS_CHECK()
>>>>> in particular) which would trip upon inappropriate use of one of the
>>>>> types which are aliased to SH_type_unused when !HVM.
>>>>>
>>>>>> Secondly, if it were reliably 16 then we could do the basically-free
>>>>>> "type &= 15;" modification.  (It appears my change to do this
>>>>>> automatically hasn't been taken yet.), but we'll end up with lfence
>>>>>> variation here.
>>>>> How could anything be "reliably 16"? Such enums can change at any time:
>>>>> They did when making HVM types conditional, and they will again when
>>>>> adding types needed for 5-level paging.
>>>>>
>>>>>> But the value isn't attacker controlled.  shadow_type always comes from
>>>>>> Xen's metadata about the guest, not the guest itself.  So I don't see
>>>>>> how this can conceivably be a speculative issue even in principle.
>>>>> I didn't say anything about there being a speculative issue here. It
>>>>> is for this very reason that I wrote "(ab)using".
>>>> Then it is entirely wrong to be using a nospec accessor.
>>>>
>>>> Speculation problems are subtle enough, without false uses of the safety
>>>> helpers.
>>>>
>>>> If you want to "harden" against runtime architectural errors, you want
>>>> to up the ASSERT() to a BUG(), which will execute faster than sticking
>>>> an hiding an lfence in here, and not hide what is obviously a major
>>>> malfunction in the shadow pagetable logic.
>>> I should have commented on this earlier already: What lfence are you
>>> talking about?
>> The one I thought was hiding under array_access_nospec(), but I forgot
>> we'd done the sbb trick.
>>
>>> As to BUG() - the goal here specifically is to avoid a
>>> crash in release builds, by forcing the function to return zero (via
>>> having it use array slot zero for out of range indexes).
>> I'm very uneasy about having something this deep inside a component,
>> which ASSERT()s correctness doing something custom like this "just to
>> avoid crashing".
>>
>> There is either something important which makes this more likely than
>> most to go wrong at runtime, or there is not.  And honestly, I can't see
>> why it is more risky at runtime.
> Well, okay. I did explain why I think there is an increased risk here.
>
>> If we really do need to clamp it, then we need a brand new helper with a
>> name that doesn't reference speculation at all.  It's fine for *_nospec
>> to reuse this helper, stating the safety of doing so, but at a code
>> level there need to be two appropriately named helpers for their two
>> logically-unrelated purposes.
> I don't think anything can sensibly be made for more general purpose
> (not speculation related) use. Here I'm specifically utilizing that
> array slot 0 is being picked as the fallback slot _and_ that slot is
> actually suitable. This may not be the case for other arrays.
>
> Anyway - taking things together I will then simply consider the patch
> rejected, despite it being a seemingly easy step of hardening.

I don't have a problem, in principle, with something like
array_clamp(arr, idx) as long as it comes with a API description making
it clear that it turns out-of-bounds indices into 0.

But use of this in code also needs to come with a comment explaining why
the piece of code is risky enough to justify it.  (As much as anything
else, so we can figure out when to remove it if the preconditions change.)

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.