[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/boot: Fix PVH boot during boot_info transition period



On Tue, Oct 22, 2024 at 01:41:14PM +0100, Andrew Cooper wrote:
> multiboot_fill_boot_info() taking the physical address of the multiboot_info
> structure leads to a subtle use-after-free on the PVH path, with rather less
> subtle fallout.
> 
> The pointers used by __start_xen(), mbi and mod, are either:
> 
>  - MB:  Directmap pointers into the trampoline, or
>  - PVH: Xen pointers into .initdata, or
>  - EFI: Directmap pointers into Xen.
> 
> Critically, these either remain valid across move_xen() (MB, PVH), or rely on
> move_xen() being inhibited (EFI).
> 
> The conversion to multiboot_fill_boot_info(), taking only mbi_p, makes the PVH
> path use directmap pointers into Xen, as well as move_xen() which invalidates
> said pointers.
> 
> Switch multiboot_fill_boot_info() to consume the same virtual addresses that
> __start_xen() currently uses.  This keeps all the pointers valid for the
> duration of __start_xen(), for all boot protocols.
> 
> It can be safely untangled once multiboot_fill_boot_info() takes a full copy
> the multiboot info data, and __start_xen() has been moved over to using the
> new boot_info consistently.
> 
> Right now, bi->{loader,cmdline,mods} are problematic.  Nothing uses
> bi->mods[], and nothing uses bi->cmdline after move_xen().
> 
> bi->loader is used after move_xen(), although only for cmdline_cook() of
> dom0's cmdline, where it happens to be benign because PVH boot skips the
> inspection of the bootloader name.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

One nit below about dropping a const keyword.

> ---
> CC: Jan Beulich <JBeulich@xxxxxxxx>
> CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> CC: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
> 
> This is more proof that Xen only boots by accident.  It certainly isn't by any
> kind of design.
> 
> https://gitlab.com/xen-project/people/andyhhp/xen/-/pipelines/1506947472
> including the pending work to add a PVShim test
> 
> This is the least-invasive fix given the rest of the Hyperlaunch series.
> 
> A different option would to introduce EFI and PVH forms of
> multiboot_fill_boot_info(), but that would involve juggling even more moving
> parts during the transition period.
> ---
>  xen/arch/x86/setup.c | 25 ++++++++++++++++++++-----
>  1 file changed, 20 insertions(+), 5 deletions(-)
> 
> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
> index db670258d650..e43b56d4e80f 100644
> --- a/xen/arch/x86/setup.c
> +++ b/xen/arch/x86/setup.c
> @@ -283,11 +283,10 @@ struct boot_info __initdata xen_boot_info = {
>      .cmdline = "",
>  };
>  
> -static struct boot_info *__init multiboot_fill_boot_info(unsigned long mbi_p)
> +static struct boot_info *__init multiboot_fill_boot_info(
> +    multiboot_info_t *mbi, module_t *mods)

Shouldn't mbi keep the const keyword?  Given there are no changes on
how it's used in multiboot_fill_boot_info().

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.