[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/vPIT: check/bound values loaded from state save record

  • To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Wed, 25 Oct 2023 11:44:35 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Z1KptLY6s8G1aC7NRTKk/+NRb+SR2CZLBeSf8DIC+hc=; b=ihv6m3UyxsaTaMWbvWLmVy5eKnOqStXrWRkV+CKnENlYcnqrtr6UeQDpNlWSEmo37vuFRz7LuXgZo+wGG8cR3NEj91xd8BmGdS8dscSkLmP0k9Wse1F7aN8nBDLjjjOSC8eB2IzexoCZyNUo8UXeQQFOT+TXvQmm2aVFLxOuZ9U4wC6/KhtCUItEXL4xWMX4Wa0EBK0dVq4VsgPD2rLlpxvCAPL738+MJfbzlayQtK2t+O5UFEluVZnb8Bi+4BwunHT7BdF45nmqhnrnNaC+l49WrwgRrHarej4gUNlMuaYruFwy6wouxj+70fm2okO6ZW5Mb6f7CCKGT+32QE2ePg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WwOjBg3za6LEDPVkt5s4S1Ixnn9+obfK7hggsiO/jt681xMOAQPWwz332yd6Z7pNqAViiScHPxgJFiqXn5cP+IugkLxdOll9m5YauTpz+J6tttqbQf8Rg6pLqFLBPk0avooQEWNtLetonqvILzkDTc6hjVpuBJO95Xjc/fewoF6zUd2laCf7J+8gktkva75LXvLl2gBEeG5+LPeNfTSDFWuAC9PDl6MzJbmIwRKolAJvfmPwtOpCxeKKRDk7RUpRPB81Qle93GvEjHYDMwkzZ4iKRtJ8LcwWjAFc3tOWQmSi2nqFkelE/ZG1dUjm9rl9M5+82ZV7hFZPsTQ//IX7hQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Wed, 25 Oct 2023 09:44:49 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 25.10.2023 11:11, Roger Pau Monné wrote:
> On Thu, May 11, 2023 at 01:50:05PM +0200, Jan Beulich wrote:
>> In particular pit_latch_status() and speaker_ioport_read() perform
>> calculations which assume in-bounds values. Several of the state save
>> record fields can hold wider ranges, though.
>>
>> Note that ->gate should only be possible to be zero for channel 2;
>> enforce that as well.
>>
>> Adjust pit_reset()'s writing of ->mode as well, to not unduly affect
>> the value pit_latch_status() may calculate. The chosen mode of 7 is
>> still one which cannot be established by writing the control word.
>>
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>> ---
>> Of course an alternative would be to simply reject state save records
>> with out of bounds values.
> 
> I've been taking a look at how we load other records, and
> lapic_load_hidden() for example will return error when invalid values
> are found.
> 
> IMO that seems safer, I think there's a risk in the adjustments
> done below to also lead to not safe combinations of fields.
> 
> So we either reject the state and return an error, or we silently
> reject and leave the PIT in the reset state.
> 
> Unless there's a reason we need to handle such bogus state.

Well, I've tried to be conservative (similarly in the vPIC equivalent
change) as to affecting guests with potentially bogus incoming
migration streams. Such guests may have been migrated multiple times,
from pretty old Xen, and I don't consider it reasonable to check each
and every Xen version as to possibly permitting out-of-range values
to be reached and then saved when migrating the guest away. Imo if we
were to reject bad input, we'd need to have a way to override that.
Requiring people to "fix" the data in the migration stream seems to
me like demanding too much in such a situation.

What we could also consider is have the tool stack do the adjustment
(perhaps optionally, e.g. driven by a command line option), while
unconditionally refusing out of range input in the hypervisor. But
of course that's more involved, overall (and could still end in
perceived regressions, even if those are then easier to overcome).

>> @@ -426,6 +427,33 @@ static int cf_check pit_load(struct doma
>>      }
>>      
>>      /*
>> +     * Convert loaded values to be within valid range, for them to represent
>> +     * actually reachable state.  Uses of some of the values elsewhere 
>> assume
>> +     * this is the case.
>> +     */
>> +    for ( i = 0; i < ARRAY_SIZE(pit->hw.channels); ++i )
>> +    {
>> +        struct hvm_hw_pit_channel *ch = &pit->hw.channels[i];
>> +
>> +        /* pit_load_count() will convert 0 suitably back to 0x10000. */
>> +        ch->count &= 0xffff;
> 
> Might be helpful to have this in a define, as it's also used by
> pit_get_count().

Hmm, the two uses of 0xffff aren't exactly for the same purpose.
Here we're bounding the input range, whereas there we simply need to
deal with overflow that unavoidably can happen when the counter has
wrapped at least once. Really the comment is here to avoid putting
in place the more precise but also more involved

        if ( ch->count > 0x10000 )
            ch->count &= 0xffff;

If we used this, divergence from pit_get_count() would be yet larger.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.