[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 3/3] x86/boot: Fix XSM module handling during PVH boot


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 23 Oct 2024 08:17:42 -0400
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1729685866; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=nsYRcxEwQNvIFdBbeHj5AUDgtQYtwh7S25UWp9VhVV8=; b=O4k5NFAqVcwwB9nyGMEQNK3YTyP+Fbj8fJ8+nOFwon4mVftkO5lCIX9r/lCXSlzn1ULpZ/pl95hgHfxaagBmHhVs71Q9bvcbA7CLJl3YWfjUi+GvREutfBQpFFBnzB1Pfjr9m4IMBDnpQndUXUTme6KHpS5giP3K0+KMh/n3ucs=
  • Arc-seal: i=1; a=rsa-sha256; t=1729685866; cv=none; d=zohomail.com; s=zohoarc; b=lXmJwkS5saeVVXA/7500vEy+1vlwGtharkgdZrnnU5YrV+WtDFplX495+C61y+FIM6mhU6fd06iHwrgh0wGWfufLPv1WeoE5lhpepIUbC8Xk5KfbedlJFcAP0A7nBH2+Goy4qbaS+fk9RKI23hTE9Y2Svkp7PZp02F9t45oIOc8=
  • Cc: Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Wed, 23 Oct 2024 12:17:52 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 10/23/24 06:57, Andrew Cooper wrote:
From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

As detailed in commit 0fe607b2a144 ("x86/boot: Fix PVH boot during boot_info
transition period"), the use of __va(mbi->mods_addr) constitutes a
use-after-free on the PVH boot path.

This pattern has been in use since before PVH support was added.  This has
most likely gone unnoticed because no-one's tried using a detached Flask
policy in a PVH VM before.

Plumb the boot_info pointer down, replacing module_map and mbi.  Importantly,
bi->mods[].mod is a safe way to access the module list during PVH boot.

As this is the final non-bi use of mbi in __start_xen(), make the pointer
unusable once bi has been established, to prevent new uses creeping back in.
This is a stopgap until mbi can be fully removed.

Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Jan Beulich <JBeulich@xxxxxxxx>
CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
CC: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Reviewed-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.