From patchwork Mon May 23 06:44:57 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 9131183 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 27E25607D3 for ; Mon, 23 May 2016 06:45:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1B30F281BE for ; Mon, 23 May 2016 06:45:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0F03F281FE; Mon, 23 May 2016 06:45:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1E53F281BE for ; Mon, 23 May 2016 06:45:29 +0000 (UTC) Received: from localhost ([::1]:45928 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b4jcG-0003WZ-8a for patchwork-qemu-devel@patchwork.kernel.org; Mon, 23 May 2016 02:45:28 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37476) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b4jbu-0003Tr-KV for qemu-devel@nongnu.org; Mon, 23 May 2016 02:45:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b4jbq-0006cV-Rn for qemu-devel@nongnu.org; Mon, 23 May 2016 02:45:05 -0400 Received: from prv-mh.provo.novell.com ([137.65.248.74]:41317) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b4jbq-0006c6-J0 for qemu-devel@nongnu.org; Mon, 23 May 2016 02:45:02 -0400 Received: from INET-PRV-MTA by prv-mh.provo.novell.com with Novell_GroupWise; Mon, 23 May 2016 00:45:00 -0600 Message-Id: <5742C30902000078000ED9FC@prv-mh.provo.novell.com> X-Mailer: Novell GroupWise Internet Agent 14.2.0 Date: Mon, 23 May 2016 00:44:57 -0600 From: "Jan Beulich" To: Mime-Version: 1.0 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 137.65.248.74 Subject: [Qemu-devel] [PATCH] xen/blkif: avoid double access to any shared ring request fields X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefano Stabellini Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Commit f9e98e5d7a ("xen/blkif: Avoid double access to src->nr_segments") didn't go far enough: src->operation is also being used twice. And nothing was done to prevent the compiler from using the source side of the copy done by blk_get_request() (granted that's very unlikely). Move the barrier()s up, and add another one to blk_get_request(). Note that for completing XSA-155, the barrier() getting added to blk_get_request() would suffice, and hence the changes to xen_blkif.h are more like just cleanup. And since, as said, the unpatched code getting compiled to something vulnerable is very unlikely (and not observed in practice), this isn't being viewed as a new security issue. Signed-off-by: Jan Beulich xen/blkif: avoid double access to any shared ring request fields Commit f9e98e5d7a ("xen/blkif: Avoid double access to src->nr_segments") didn't go far enough: src->operation is also being used twice. And nothing was done to prevent the compiler from using the source side of the copy done by blk_get_request() (granted that's very unlikely). Move the barrier()s up, and add another one to blk_get_request(). Note that for completing XSA-155, the barrier() getting added to blk_get_request() would suffice, and hence the changes to xen_blkif.h are more like just cleanup. And since, as said, the unpatched code getting compiled to something vulnerable is very unlikely (and not observed in practice), this isn't being viewed as a new security issue. Signed-off-by: Jan Beulich --- a/hw/block/xen_blkif.h +++ b/hw/block/xen_blkif.h @@ -79,14 +79,14 @@ static inline void blkif_get_x86_32_req( dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (src->operation == BLKIF_OP_DISCARD) { + /* Prevent the compiler from using src->... instead. */ + barrier(); + if (dst->operation == BLKIF_OP_DISCARD) { struct blkif_request_discard *s = (void *)src; struct blkif_request_discard *d = (void *)dst; d->nr_sectors = s->nr_sectors; return; } - /* prevent the compiler from optimizing the code and using src->nr_segments instead */ - barrier(); if (n > dst->nr_segments) n = dst->nr_segments; for (i = 0; i < n; i++) @@ -102,14 +102,14 @@ static inline void blkif_get_x86_64_req( dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (src->operation == BLKIF_OP_DISCARD) { + /* Prevent the compiler from using src->... instead. */ + barrier(); + if (dst->operation == BLKIF_OP_DISCARD) { struct blkif_request_discard *s = (void *)src; struct blkif_request_discard *d = (void *)dst; d->nr_sectors = s->nr_sectors; return; } - /* prevent the compiler from optimizing the code and using src->nr_segments instead */ - barrier(); if (n > dst->nr_segments) n = dst->nr_segments; for (i = 0; i < n; i++) --- a/hw/block/xen_disk.c +++ b/hw/block/xen_disk.c @@ -679,6 +679,8 @@ static int blk_get_request(struct XenBlk RING_GET_REQUEST(&blkdev->rings.x86_64_part, rc)); break; } + /* Prevent the compiler from accessing the on-ring fields instead. */ + barrier(); return 0; } Reviewed-by: Stefano Stabellini --- a/hw/block/xen_blkif.h +++ b/hw/block/xen_blkif.h @@ -79,14 +79,14 @@ static inline void blkif_get_x86_32_req( dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (src->operation == BLKIF_OP_DISCARD) { + /* Prevent the compiler from using src->... instead. */ + barrier(); + if (dst->operation == BLKIF_OP_DISCARD) { struct blkif_request_discard *s = (void *)src; struct blkif_request_discard *d = (void *)dst; d->nr_sectors = s->nr_sectors; return; } - /* prevent the compiler from optimizing the code and using src->nr_segments instead */ - barrier(); if (n > dst->nr_segments) n = dst->nr_segments; for (i = 0; i < n; i++) @@ -102,14 +102,14 @@ static inline void blkif_get_x86_64_req( dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (src->operation == BLKIF_OP_DISCARD) { + /* Prevent the compiler from using src->... instead. */ + barrier(); + if (dst->operation == BLKIF_OP_DISCARD) { struct blkif_request_discard *s = (void *)src; struct blkif_request_discard *d = (void *)dst; d->nr_sectors = s->nr_sectors; return; } - /* prevent the compiler from optimizing the code and using src->nr_segments instead */ - barrier(); if (n > dst->nr_segments) n = dst->nr_segments; for (i = 0; i < n; i++) --- a/hw/block/xen_disk.c +++ b/hw/block/xen_disk.c @@ -679,6 +679,8 @@ static int blk_get_request(struct XenBlk RING_GET_REQUEST(&blkdev->rings.x86_64_part, rc)); break; } + /* Prevent the compiler from accessing the on-ring fields instead. */ + barrier(); return 0; }