[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/3] x86: Reject bad %dr6/%dr7 values when loading guest state

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 30 Aug 2023 18:13:02 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TBv+P7hCywnxBQ/CXh8RKmYalil3lqyAD1ES3zozyDM=; b=kCrC8mapUH49KAIWFpeQ4d7XIuaGt/wCqNgp0+oRoD8yC1Ycub4fzvODMjZgCfJ79xCiinR/OogDrbqKlwlH0+wx54iNbDqKVAqxcvHWTkMANphBkZACcljBRS348ka/7qWKR4bpCzBeaXc8+wnnmGjuDDc3lmab6nPeZzON67R1D1Hv5DUisk5DhtYYApONeo/fMzkMxp9Vp6o2dB2RgpVkByoUAEY3/AM3/CxsDnZ7oBx1FG5wqeXCkdeKPdo37gHoi8OZtGLXnnBKQw9XPi60A4boIn64Ai3pAk0LKk+k3VhF3Uk/UH+jw1hDB+N2GSdIhn7wy8c8+wrXGZmA/A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=StItPYGTC0cm1qkVKW6jinzfvm8nkhyvsjAqYm9UH0fknmjUYBfbnKxa3bKaNbrBOlsLgNvuCshrCN0bnB+blg5AsfFQDQkCJzTcrhHYm4qwFRenV5+db+obmRse6PChgZa7uoJeutng8WbLfnuH703zpWQyQuluoK3wq6VylM6HVgJMGdflaav8GmDr0VSFxHEFTmziPn3M/tuoetalWMCwCPqCiSHFWRKLpxcZMCFxYbwzLHT5wmtEnbn4tM6UZ3dlRpPHqtfFVqJ9CjUc2V48lafqeaKLPcBLOR9ffZHNOpHHFFmXBm4HBAKSmGc9WSpNeBzJ3O0nlc6be8DV9w==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jinoh Kang <jinoh.kang.kr@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 30 Aug 2023 16:13:57 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 30.08.2023 17:28, Andrew Cooper wrote:
> On 30/08/2023 4:12 pm, Jan Beulich wrote:
>> On 30.08.2023 16:35, Andrew Cooper wrote:
>>> On 29/08/2023 3:08 pm, Jan Beulich wrote:
>>>> On 29.08.2023 15:43, Andrew Cooper wrote:
>>>>> --- a/xen/arch/x86/domain.c
>>>>> +++ b/xen/arch/x86/domain.c
>>>>> @@ -1074,8 +1074,27 @@ int arch_set_info_guest(
>>>>>  #endif
>>>>>      flags = c(flags);
>>>>>  
>>>>> +    if ( !compat )
>>>>> +    {
>>>>> +        if ( c(debugreg[6]) != (uint32_t)c(debugreg[6]) ||
>>>>> +             c(debugreg[7]) != (uint32_t)c(debugreg[7]) )
>>>>> +            return -EINVAL;
>>>>> +    }
>>>>> +
>>>>>      if ( is_pv_domain(d) )
>>>>>      {
>>>>> +        /*
>>>>> +         * Prior to Xen 4.11, dr5 was used to hold the emulated-only
>>>>> +         * subset of dr7, and dr4 was unused.
>>>>> +         *
>>>>> +         * In Xen 4.11 and later, dr4/5 are written as zero, ignored for
>>>>> +         * backwards compatibility, and dr7 emulation is handled
>>>>> +         * internally.
>>>>> +         */
>>>>> +        for ( i = 0; i < ARRAY_SIZE(v->arch.dr); i++ )
>>>>> +            if ( !access_ok(c(debugreg[i]), sizeof(long)) )
>>>> Don't you mean __addr_ok() here, i.e. not including the
>>>> is_compat_arg_xlat_range() check? (Else I would have asked why
>>>> sizeof(long), but that question resolves itself with using the other
>>>> macro.)
>>> For now, I'm simply moving a check from set_debugreg() earlier in
>>> arch_set_info_guest().
>>>
>>> I think it would be beneficial to keep that change independent.
>> Hmm, difficult. I'd be okay if you indeed moved the other check. But
>> you duplicate it here, and duplicating questionable code is, well,
>> questionable.
> 
> It can't be removed in set_debugreg() because that's used in other paths
> too.

Sure, I understand that.

> And the error from set_debugreg() can't fail arch_set_info_guest()
> because that introduces a failure after mutation of the vCPU state.
> 
> This isn't a fastpath.  It's used approximately once per vCPU lifetime.

But fast or not isn't the point here. The point is that both the use
of access_ok() and the use of sizeof(long) are bogus in this context.
Switching to __addr_ok() will tighten the check here (and hence not
risk set_debugreg() later raising an error).

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.