[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/3] x86: Reject bad %dr6/%dr7 values when loading guest state


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Wed, 30 Aug 2023 16:28:44 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UZcNk7Wbo9xCtpqRbx4rtQ1B38ZDUKUG6haMmDp3Y7A=; b=mAihpT6Odj1owPCcJFNEPQDy2V1Sfh6/svd5Wqw5UhB08UMem4rXDw0PohHutvH66jNY2Tt7HDNsiTA5Gt2A9Jdhz4uFg34pE648/9cUjvZDHHRY54L/0cgthhqsIgnuPrrVTFi0d8T8CmJ8BclER6NbA+2Egt57pO95Av5bN5Xnl9dFq7/gkp0Jl4znbtEfrSpy6aYNMBCD3TD1+bUDxCsC695TzkZG+OLcPeummdEXlmVTf1CloECYS/n/kAWHHPi4qVXtcPGdKq6DzGG2xrxWW3aGa7BvqZHjEi3vapdMVYsaz7T/fJXeezVIwpCswbPBoqbq9J0Dotfkh3hm+w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WqxLzXJEE0VSGqOEwgUNNpupWaVd/qKO+CQHkZlA8JE/5YLJaA3TdQ1ecknZMfqw1Rj0qkg2k/Fp2HgtMwoNOdQz0wJxt8KK3BB6E5tTtI0z5wqM++LdmbcvIe2QARj3RMA6Vd76365IsSZY/gRoiQTVG7NFoAm7YsUpg6mJBTnsB00jr3FJDR2qLv54sBmIfMgsWx/PqrrcmVO738ibqL2PTYsG4xQIM2ATkhAd/ozYgPZEuXGez2LgZFejuDf9adk88cTVCEAm4/gVO4TjZYZbRIty1qJhauI+At/sJ8J2zAfG6WZqnjs5LZuCiDDwWbHMwUrtmiaq6QfRtXHnvg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jinoh Kang <jinoh.kang.kr@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 30 Aug 2023 15:29:04 +0000
  • Ironport-data: A9a23:/KbC/6leJQJI2nxY44Ka94Po5gxFJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xIdUDjTMqnbYmf2L9h3bNy28kMAuMSHm9NqTQJq+SpgRiMWpZLJC+rCIxarNUt+DCFhoGFPt JxCN4aafKjYaleG+39B55C49SEUOZmgH+a6U6icfHgqH2eIcQ954Tp7gek1n4V0ttawBgKJq LvartbWfVSowFaYCEpNg064gE0p5K6aVA8w5ARkPqgb5weGzBH5MbpETU2PByqgKmVrNrbSq 9brlNmR4m7f9hExPdKp+p6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTbZLwXXx/mTSR9+2d/ f0W3XCGpaXFCYWX8AgVe0Ew/yiTpsSq8pefSZS0mZT7I0Er7xIAahihZa07FdRwxwp5PY1B3 fo9Di49YTWzu763x67rVPUx39t4J9a+aevzulk4pd3YJdAPZMifBoD1v5pf1jp2gd1SF/HDY cZfcSBocBnLfxxIPBEQFY46m+CrwHL4dlW0qnrM/fZxvzeVk1c3ieeyWDbWUoXiqcF9t0CUv G/ZuU/+BQkXLoe3wjuZ6HO8wOTImEsXXapLTuTgrqQx3gT7Kmo7SzsJUQWrs9aCi2mvV/1YA WM+4SQTsv1nnKCsZpynN/Gim1aGtBMBX9tbE8Uh9RqAjKHT5m6xGWwsXjNHLts8u6ceRz0s0 V/PnNrvCnpsqpWaTHuc8vGfqjbaETgYKyoOaDEJSSMB4sL/u8cjgxTXVNFhHaWpyNrvFlnNL yuiqSE/g/AWkpQN3qDjoVTf2Wvz+d7OUxI/4RjRUiS99ARlaYW5Zouur1/G8fJHK4XfRV6E1 JQZp/WjACk1JcnlvESwrC8lRdlFO97t3OXgvGNS
  • Ironport-hdrordr: A9a23:Gu/2za4C+HWJvzEFkAPXwAzXdLJyesId70hD6qkQc3Fom62j5q WTdZEgvyMc5wx/ZJhNo7690cq7MBHhHPxOgbX5VI3KNGXbUQOTR72KhrGSoAEIdReeygZcv5 0QCZSXCrfLfCVHZRCR2njFLz4iquP3j5xBnY3lvhNQpZkBUdAZ0+9+YDzrdXFedU19KrcSMo GT3cZDryrIQwVtUizqbkN1OdQqvrfw5evbXSI=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 30/08/2023 4:12 pm, Jan Beulich wrote:
> On 30.08.2023 16:35, Andrew Cooper wrote:
>> On 29/08/2023 3:08 pm, Jan Beulich wrote:
>>> On 29.08.2023 15:43, Andrew Cooper wrote:
>>>> --- a/xen/arch/x86/domain.c
>>>> +++ b/xen/arch/x86/domain.c
>>>> @@ -1074,8 +1074,27 @@ int arch_set_info_guest(
>>>>  #endif
>>>>      flags = c(flags);
>>>>  
>>>> +    if ( !compat )
>>>> +    {
>>>> +        if ( c(debugreg[6]) != (uint32_t)c(debugreg[6]) ||
>>>> +             c(debugreg[7]) != (uint32_t)c(debugreg[7]) )
>>>> +            return -EINVAL;
>>>> +    }
>>>> +
>>>>      if ( is_pv_domain(d) )
>>>>      {
>>>> +        /*
>>>> +         * Prior to Xen 4.11, dr5 was used to hold the emulated-only
>>>> +         * subset of dr7, and dr4 was unused.
>>>> +         *
>>>> +         * In Xen 4.11 and later, dr4/5 are written as zero, ignored for
>>>> +         * backwards compatibility, and dr7 emulation is handled
>>>> +         * internally.
>>>> +         */
>>>> +        for ( i = 0; i < ARRAY_SIZE(v->arch.dr); i++ )
>>>> +            if ( !access_ok(c(debugreg[i]), sizeof(long)) )
>>> Don't you mean __addr_ok() here, i.e. not including the
>>> is_compat_arg_xlat_range() check? (Else I would have asked why
>>> sizeof(long), but that question resolves itself with using the other
>>> macro.)
>> For now, I'm simply moving a check from set_debugreg() earlier in
>> arch_set_info_guest().
>>
>> I think it would be beneficial to keep that change independent.
> Hmm, difficult. I'd be okay if you indeed moved the other check. But
> you duplicate it here, and duplicating questionable code is, well,
> questionable.

It can't be removed in set_debugreg() because that's used in other paths
too.

And the error from set_debugreg() can't fail arch_set_info_guest()
because that introduces a failure after mutation of the vCPU state.

This isn't a fastpath.  It's used approximately once per vCPU lifetime.

~Andrew



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.