[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH] x86/boot: Fix PVH boot during boot_info transition period
On Tue, Oct 22, 2024 at 01:41:14PM +0100, Andrew Cooper wrote: > multiboot_fill_boot_info() taking the physical address of the multiboot_info > structure leads to a subtle use-after-free on the PVH path, with rather less > subtle fallout. > > The pointers used by __start_xen(), mbi and mod, are either: > > - MB: Directmap pointers into the trampoline, or > - PVH: Xen pointers into .initdata, or > - EFI: Directmap pointers into Xen. > > Critically, these either remain valid across move_xen() (MB, PVH), or rely on > move_xen() being inhibited (EFI). > > The conversion to multiboot_fill_boot_info(), taking only mbi_p, makes the PVH > path use directmap pointers into Xen, as well as move_xen() which invalidates > said pointers. > > Switch multiboot_fill_boot_info() to consume the same virtual addresses that > __start_xen() currently uses. This keeps all the pointers valid for the > duration of __start_xen(), for all boot protocols. > > It can be safely untangled once multiboot_fill_boot_info() takes a full copy > the multiboot info data, and __start_xen() has been moved over to using the > new boot_info consistently. > > Right now, bi->{loader,cmdline,mods} are problematic. Nothing uses > bi->mods[], and nothing uses bi->cmdline after move_xen(). > > bi->loader is used after move_xen(), although only for cmdline_cook() of > dom0's cmdline, where it happens to be benign because PVH boot skips the > inspection of the bootloader name. > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> One nit below about dropping a const keyword. > --- > CC: Jan Beulich <JBeulich@xxxxxxxx> > CC: Roger Pau Monné <roger.pau@xxxxxxxxxx> > CC: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx> > > This is more proof that Xen only boots by accident. It certainly isn't by any > kind of design. > > https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/1506947472 > including the pending work to add a PVShim test > > This is the least-invasive fix given the rest of the Hyperlaunch series. > > A different option would to introduce EFI and PVH forms of > multiboot_fill_boot_info(), but that would involve juggling even more moving > parts during the transition period. > --- > xen/arch/x86/setup.c | 25 ++++++++++++++++++++----- > 1 file changed, 20 insertions(+), 5 deletions(-) > > diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c > index db670258d650..e43b56d4e80f 100644 > --- a/xen/arch/x86/setup.c > +++ b/xen/arch/x86/setup.c > @@ -283,11 +283,10 @@ struct boot_info __initdata xen_boot_info = { > .cmdline = "", > }; > > -static struct boot_info *__init multiboot_fill_boot_info(unsigned long mbi_p) > +static struct boot_info *__init multiboot_fill_boot_info( > + multiboot_info_t *mbi, module_t *mods) Shouldn't mbi keep the const keyword? Given there are no changes on how it's used in multiboot_fill_boot_info(). Thanks, Roger.
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |