[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] x86/vPIT: check/bound values loaded from state save record
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Date: Wed, 25 Oct 2023 11:11:38 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GNCFQPV10RxB9LnKmmM1SlcJ3j9u9u2eVdfyiig0OkQ=; b=SPo41nnUl/v/MlAe/BhWzlhCIxwhqXYC2qK1SiygmDq0YWW2uCRFH3PoNDxyi20qx5nbGMmTorUZ96VRpdDsZiaNSoc2vXou7aLVjDl1WcJ2kZeh7VAznEDA7+LisJ1kk7n4CWlr1F3xg2dn750Zay3+v8sioSOr+bi7CfvZzOV5//+59YiHQJSBVH3tW5h6+y2Rj0hBWVN/hvO7s5Pe+4HQPGin8b+KVaQ49KHD6MN9fmxlrtFYu3kLOJGoXjKdhSchSyQsQVyy0YsInPCi+b0i7ePZPxN2FJgOjoxIW7W5aK91x9NoaucF4kCt+VlU3rr8PLBaffvc2mt1Sy0psA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=acc3tksCMCiFt+uLBayGCdSTHWSG1rJllpQcp6flghuYMAOkUjTVrd4CYDixUSsj/GflmQ6EjwB09wLfz1A2sio2kKqTN7chGMFdiTYoGdyy9mRAkMHDlbFGZNNZjzKQGWwZH+ceTwacUn5vuH/BnkNpzKrbBuOqEedZysc7eTitakt1kgkmJ1wqXl0N2R0EhPNq2ElNL4pfr3yW8bmB8vMLA2s/1pLDtDqlspD5ARuRKDRwvGIY+zj6ZmQoj0FUz7AQ+Tp0cOgcOc0m4dM3M9zP2vqAKek9A40viTKbiGhUP/UJGjrNoM+XACRcrM+kKdTgMpaN+imSKpRyuQA4ug==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
- Delivery-date: Wed, 25 Oct 2023 09:12:14 +0000
- Ironport-data: A9a23:CKUbeqlW9uqhIb8ccj4NCmjo5gynJ0RdPkR7XQ2eYbSJt1+Wr1Gzt xIcWmzUMvyDMTP2e4hzaI6/oEIEvJTTx4NgSgRr+HtmQSMWpZLJC+rCIxarNUt+DCFhoGFPt JxCN4aafKjYaleG+39B55C49SEUOZmgH+e6UKicfHkpGWeIcQ954Tp7gek1n4V0ttawBgKJq LvartbWfVSowFaYCEpNg064gE0p5K+aVA8w5ARkPqkT5gKGzhH5MbpETU2PByqgKmVrNrbSq 9brlNmR4m7f9hExPdKp+p6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTbZLwXXx/mTSR9+2d/ f0W3XCGpaXFCYWX8AgVe0Ew/yiTpsSq8pefSZS0mZT7I0Er7xIAahihZa07FdRwxwp5PY1B3 cdIeTQQbRPeu+6VxIuaUe9B19QmJvC+aevzulk4pd3YJdAPZMmaBo/stZpf1jp2gd1SF/HDY cZfcSBocBnLfxxIPBEQFY46m+CrwHL4dlW0qnrM/fZxvzeVkVw3iea9WDbWUoXiqcF9hEGXq 3iA523kKhobKMae2XyO9XfEaurnxHmmCNhKSODjnhJsqEbKnFZJLAcZbHWUg/bkpRSVHP0AN lNBr0LCqoB3riRHVOLVXRe1vXqFtR40QMdLHqsx7wTl4rrZ5UOVC3YJShZFacc6r4kmSDoyz FiLktj1Qzt1v9W9Vna15rqS6zSoNkAowXQqYCYFSU4P5YnlqYRq1xbXFI89QOiyk8H/Hiz2z 3aSti8iir4PjMkNkaKm4VTAhDHqrZ/MJuIo2jjqsquexlsRTOaYi0aAsDA3Md4owF6lc2S8
- Ironport-hdrordr: A9a23:vKxMrK4sdVIszHFmxAPXwUCCI+orL9Y04lQ7vn2ZFiYlFfBwxv re+MjziyWE7Qr5AEtQ6+xo/ZPwCE819fZOkPMs1MSZLXzbUQqTXcFfBO7ZshHd8kLFh5BgPM tbAtBD4ZjLfCtHZKXBkUqF+rQbsai6GcmT7I+0oxgCPGIaDdAY0+pgMGam+w9NNXl77PECZe ehD7981kWdkAMsH7iG7xc+LpP+TwGiruOFXTc2QzMq9QWFkDWyyJO/KgOf1BsFST9DqI1Su1 QtpzaJo5lL/svLkSM1GAfontVrseqk7uEGKN2Hi8ATJDmpogG0ZL55U7nHkCEprPqp4FMKls CJhxs7Jcx8517YY2nw+HLWqlTd+Qdrz0Wn5U6TgHPlr8C8bDUmC/BZjYYcXgrF51EmtNRc1r sO+26CrZJYAT7JgSy4zdnVUBNBkFayvBMZ4LQupk0adbFbRK5arIQZ8k8QOJAcHBji4IRiK+ VqBNG03ocbTbvPBUq5gkBfhPiXGlgjFBaPRUYP/uaP1SJNoXx/x0wEgOQCg3Yp7vsGOst5zt WBFp4tuKBFT8cQY644LvwGW9GLBmvERg+JGH6OIG7gCLoMNxv22s3KCY0OlbSXkaEzvcoPcd X6IQ1lXFcJCh3T4Bi1rc12GhOkehTxYd2i8LAdlsxEUnuVfsuuDcTJciFbryKamYRVPiUAM8 zDfq6+M8WTalcGUbw5qDEWe6MicEX2A/dl4urSrTq104z2wnqDjJ2VTB+UHsuwLd5IMlmPVU crbXzPAIFp402qXTvRnAXRMkmdUHDXzNZMNOzz8uUSz8w1LYtArgIJo1K16qiwWBB/m51zQW 87Db/jkry2vi2N/WjO53h0IRY1NDd/3JzQF05v4SsjE2axSpool/WhVU0X4VuiCnZEJf/+IU pjgxBS0YKTa6Ct5Q1KMb+a2qfztQo6mJpPJ61ss5FqIq/eC8UF5ppKYt0GKeziLW08pTpX
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, May 11, 2023 at 01:50:05PM +0200, Jan Beulich wrote:
> In particular pit_latch_status() and speaker_ioport_read() perform
> calculations which assume in-bounds values. Several of the state save
> record fields can hold wider ranges, though.
>
> Note that ->gate should only be possible to be zero for channel 2;
> enforce that as well.
>
> Adjust pit_reset()'s writing of ->mode as well, to not unduly affect
> the value pit_latch_status() may calculate. The chosen mode of 7 is
> still one which cannot be established by writing the control word.
>
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> Of course an alternative would be to simply reject state save records
> with out of bounds values.
I've been taking a look at how we load other records, and
lapic_load_hidden() for example will return error when invalid values
are found.
IMO that seems safer, I think there's a risk in the adjustments
done below to also lead to not safe combinations of fields.
So we either reject the state and return an error, or we silently
reject and leave the PIT in the reset state.
Unless there's a reason we need to handle such bogus state.
> --- a/xen/arch/x86/emul-i8254.c
> +++ b/xen/arch/x86/emul-i8254.c
> @@ -47,6 +47,7 @@
> #define RW_STATE_MSB 2
> #define RW_STATE_WORD0 3
> #define RW_STATE_WORD1 4
> +#define RW_STATE_NUM 5
>
> static int cf_check handle_pit_io(
> int dir, unsigned int port, unsigned int bytes, uint32_t *val);
> @@ -426,6 +427,33 @@ static int cf_check pit_load(struct doma
> }
>
> /*
> + * Convert loaded values to be within valid range, for them to represent
> + * actually reachable state. Uses of some of the values elsewhere assume
> + * this is the case.
> + */
> + for ( i = 0; i < ARRAY_SIZE(pit->hw.channels); ++i )
> + {
> + struct hvm_hw_pit_channel *ch = &pit->hw.channels[i];
> +
> + /* pit_load_count() will convert 0 suitably back to 0x10000. */
> + ch->count &= 0xffff;
Might be helpful to have this in a define, as it's also used by
pit_get_count().
Thanks, Roger.
|
