From patchwork Mon Jun 13 10:50:46 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Julien Grall <julien.grall@arm.com>
X-Patchwork-Id: 9172651
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	78D7D604DB for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon, 13 Jun 2016 10:52:59 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6ADD420499
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon, 13 Jun 2016 10:52:59 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5F39E27C0C; Mon, 13 Jun 2016 10:52:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 3867E20499
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Mon, 13 Jun 2016 10:52:58 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1bCPSK-0002rT-LV; Mon, 13 Jun 2016 10:50:56 +0000
Received: from mail6.bemta6.messagelabs.com ([85.158.143.247])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <julien.grall@arm.com>) id 1bCPSJ-0002rI-AZ
	for xen-devel@lists.xen.org; Mon, 13 Jun 2016 10:50:55 +0000
Received: from [85.158.143.35] by server-3.bemta-6.messagelabs.com id
	F3/99-25713-E009E575; Mon, 13 Jun 2016 10:50:54 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDLMWRWlGSWpSXmKPExsVysyfVTZdvQly
	4Qe8/DoslHxezODB6HN39mymAMYo1My8pvyKBNePFmkcsBdt4Km5fn87awLiBq4uRi0NIYAOj
	xKytl1kgnNOMEvsv3GbtYuTkYBPQlLjz+RNTFyMHh4hAjUTPFQeQGmaB5YwSd1/eYQWJCwsES
	ixe5ghisgioSmx+zQTSySvgLPFiyiUWEFtCQE7i5LHJrBMYORcwMqxiVC9OLSpLLdI10ksqyk
	zPKMlNzMzRNTQw08tNLS5OTE/NSUwq1kvOz93ECPQVAxDsYFz21+kQoyQHk5Ior4RPXLgQX1J
	+SmVGYnFGfFFpTmrxIUYZDg4lCd7vfUA5waLU9NSKtMwcYNDApCU4eJREeDVB0rzFBYm5xZnp
	EKlTjIpS4rxM/UAJAZBERmkeXBssUC8xykoJ8zICHSLEU5BalJtZgir/ilGcg1FJmNcZZApPZ
	l4J3PRXQIuZgBZz7IsGWVySiJCSamBs4bjd8+TS0TbW1RcnvXKP0r6RrrHY1W/aMQOdJfs/fs
	q8/zA/63Kogvzv5O1cgY9mZu5amXJ5xtNan5eB8cwHypS5jL97JNjWPZhqnLfj62OBuXceFmi
	HmFh/32j+IGLVvLRd3pu+zPBY7TBp4VGNRZ8auhTY69nt5jgcFjZlTTGdPGtpqDWXEktxRqKh
	FnNRcSIAFKSpDE8CAAA=
X-Env-Sender: julien.grall@arm.com
X-Msg-Ref: server-12.tower-21.messagelabs.com!1465815053!18757672!1
X-Originating-IP: [217.140.101.70]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 8.46; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 30973 invoked from network); 13 Jun 2016 10:50:54 -0000
Received: from foss.arm.com (HELO foss.arm.com) (217.140.101.70)
	by server-12.tower-21.messagelabs.com with SMTP;
	13 Jun 2016 10:50:53 -0000
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
	by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 48620F;
	Mon, 13 Jun 2016 03:51:32 -0700 (PDT)
Received: from e108454-lin.cambridge.arm.com (e108454-lin.cambridge.arm.com
	[10.1.215.28])
	by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id
	36FD53F253; Mon, 13 Jun 2016 03:50:51 -0700 (PDT)
From: Julien Grall <julien.grall@arm.com>
To: boris.ostrovsky@oracle.com, david.vrabel@citrix.com, jgross@suse.com,
	sstabellini@kernel.org, konrad.wilk@oracle.com
Date: Mon, 13 Jun 2016 11:50:46 +0100
Message-Id: <1465815046-5390-1-git-send-email-julien.grall@arm.com>
X-Mailer: git-send-email 1.9.1
Cc: steve.capper@arm.com, andrew.cooper3@citrix.com,
	linux-kernel@vger.kernel.org, xen-devel@lists.xen.org,
	Julien Grall <julien.grall@arm.com>, JBeulich@suse.com
Subject: [Xen-devel] [PATCH] xen: grant-table: Check truncation when giving
	access to a frame
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The version 1 of the grant-table protocol only supports frame encoded on
32-bit.

When the platform is supporting 48-bit physical address, the frame will
be encoded on 36-bit which will lead a truncation and give access to
the wrong frame.

On ARM Xen will always allow the guest to use all the physical address,
although today the RAM is always located under 40-bits (see
xen/include/public/arch-arm.h).

Add a truncation check in gnttab_update_entry_v1 to prevent the guest to
give access to the wrong frame.

Signed-off-by: Julien Grall <julien.grall@arm.com>
---
    This is limiting us to a 44-bit address space whilst ARM can support
    up to 48-bit today. This number of bit will increase to 52-bit in
    upcoming processors [1].

    It might be good to start thinking to extend the version 1 of the
    protocol to use 64-bit frame number.

    [1] https://community.arm.com/groups/processors/blog/2016/01/05/armv8-a-architecture-evolution
---
 drivers/xen/grant-table.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index bb36b1e..f47c2e99 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -224,6 +224,13 @@ static void gnttab_update_entry_v1(grant_ref_t ref, domid_t domid,
 {
 	gnttab_shared.v1[ref].domid = domid;
 	gnttab_shared.v1[ref].frame = frame;
+
+	/*
+	 * V1 only supports 32-bit frame, check the truncation
+	 * to avoid giving access to the wrong frame.
+	 */
+	BUG_ON(gnttab_shared.v1[ref].frame != frame);
+
 	wmb();
 	gnttab_shared.v1[ref].flags = flags;
 }