Xen project Mailing List

[PATCH] x86/vPIC: check values loaded from state save record

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 11 May 2023 13:50:33 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FfX++Q/GI7gjOd68wAklq5PlXbkjPE/BHUhHueaKu3E=; b=enUGx60mKvujOcQMkiUT4Ecr6XvJWFbUF/jrmzjUDUnaDdLs6h2sqsO269cp/VbxmDjc606omf+XWmeL+ynTDH+b7cFSjVnv7aslwXZAtCuX6gFn6P0Uh+1gpCQfFNQAVK71tLtdSPNtM38dM8/gO/KO83PPIgwabG7msKtcUM30mrxHot+QNwz/M+hm0RuSvfObrDgLBshYiPo0pGFlbKcOxaKpVojGjzIjE6E4SgskkiIFYWDe0Iv0Wwh8Fz3ikiuc2delsaaIcCWLVV6g99dGdjM5FbUq7Csli3ifkVMD/gRduIt4eMlBIa/uorHgFFfVCYt1alXY4F7RC1jcrg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L2r1doIJKrri6xCtuE2h9fGPWLuOUScI21erUdxDED3Nc0+zVe2H2klan8xFABFWNApAq4xMGqPV0frT4GNb8SIUWPY237KpRgTuo6kDPrJDMmk6UVwtFb7yk2gJw/oFx+N/H7ORo1fv4DwIHLjGjrDVG08Qytoa0MY3U/PMDEKSlYMQKWMZsj+efVLqUryHnbLCGpU8E3cqjYCaoKNGkEkN8o/gAuMRPNQpoVoiic9qG8OBZcJj1OyvsFPjjqD5EfB0OlgZfWAo4Ic6A4lrwEKtG9lBNBtOzsS7Slmy1GYzp0QQ5mhHlDv5B4BM/bq5RgShKymwLQmyIrY7SW3I2Q==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Thu, 11 May 2023 11:50:41 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Loading is_master from the state save record can lead to out-of-bounds accesses via at least the two container_of() uses by vpic_domain() and __vpic_lock(). Calculate the field from the supplied instance number instead. Adjust the public header comment accordingly. For ELCR follow what vpic_intercept_elcr_io()'s write path and vpic_reset() do. Convert ->int_output (which for whatever reason isn't a 1-bit bitfield) to boolean, also taking ->init_state into account. While there also correct vpic_domain() itself, to use its parameter in both places. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> --- Of course an alternative would be to simply reject state save records with bogus values. --- a/xen/arch/x86/hvm/vpic.c +++ b/xen/arch/x86/hvm/vpic.c @@ -35,7 +35,7 @@ #include <asm/hvm/save.h> #define vpic_domain(v) (container_of((v), struct domain, \ - arch.hvm.vpic[!vpic->is_master])) + arch.hvm.vpic[!(v)->is_master])) #define __vpic_lock(v) &container_of((v), struct hvm_domain, \ vpic[!(v)->is_master])->irq_lock #define vpic_lock(v) spin_lock(__vpic_lock(v)) @@ -437,6 +437,14 @@ static int cf_check vpic_load(struct dom if ( hvm_load_entry(PIC, h, s) != 0 ) return -EINVAL; + s->is_master = !inst; + + s->elcr &= vpic_elcr_mask(s); + if ( s->is_master ) + s->elcr |= 1 << 2; + + s->int_output = !s->init_state && s->int_output; + return 0; } --- a/xen/include/public/arch-x86/hvm/save.h +++ b/xen/include/public/arch-x86/hvm/save.h @@ -329,7 +329,10 @@ struct hvm_hw_vpic { /* Special mask mode excludes masked IRs from AEOI and priority checks. */ uint8_t special_mask_mode:1; - /* Is this a master PIC or slave PIC? (NB. This is not programmable.) */ + /* + * Is this the master PIC or a slave one? (NB. This is not programmable, + * and hence is ignored upon loading.) + */ uint8_t is_master:1; /* Edge/trigger selection. */

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.