From patchwork Wed Jan 8 14:08:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Alexandru Stefan ISAILA X-Patchwork-Id: 11323753 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BD601109A for ; Wed, 8 Jan 2020 14:09:56 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8DD5A20643 for ; Wed, 8 Jan 2020 14:09:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=bitdefender.onmicrosoft.com header.i=@bitdefender.onmicrosoft.com header.b="gcWB6tVj" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8DD5A20643 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=bitdefender.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1ipC0l-000438-NI; Wed, 08 Jan 2020 14:08:39 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1ipC0j-000433-Vp for xen-devel@lists.xenproject.org; Wed, 08 Jan 2020 14:08:38 +0000 X-Inumbo-ID: 5c034b12-3220-11ea-b7ff-12813bfff9fa Received: from EUR05-VI1-obe.outbound.protection.outlook.com (unknown [40.107.21.136]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id 5c034b12-3220-11ea-b7ff-12813bfff9fa; Wed, 08 Jan 2020 14:08:36 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IrAKZkkyIq/tp5LJonPYh4zjxHe7jC9fR9ygtqHUJbEf0SorgfQDUhgX4PZ7nwYariTZ9rjU4l4KqHwtEg1PQv5Izo8zP7NYUujjioSKjGlKJ8J1YH8slBwhJRRZ9ewbnntX60iN03RSv52mKyA/0svQGZLxVaySovbBWOfzyyM0GdlurPEGiHDlOjdUJbg2GG3cQuWvQtp+I0m3x+ooj4quwn1m1y/HtaNO0HgCoVS3ZlMnaPohpOadWB4Fx+CpbuCjM0ZqJq6xCTKzLn4q73S0sVeB2oevvarmlnTYgnv77tePLlFHcIgVkmyI805Bu/lmm8987L+72XZEKOfLpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eePxzpxYo/MhwmgzdiCnxuBgi2bP92P+EChzn6tAxik=; b=BeOtDtVEKY1/2GEEYzpG78dEqeB13rWUdwwCaPnkrtLuZ70MHC+sghcJGinCG03J5NPsrnWNy/Meap6huir97hLm1aruPb+ySSAe5bsyd/OFH4lz38liyKI3Mz5QyJ3E+2ThlFDTagKLbqstRAnRqFbS2TkstGkIyKbEsnRtv9/+BxQiTR1tmR+XwWCGqycBFHKN1+2P7EnZZ4LlfEE2gftz8YVbZAFgIytuIrwLVOOxEaqV1RoQmeuduw/CL/xOFlvW9IQ6HhVK19NRFkI9lFVgyGHvrxZHs2G26NuIgQQrRpSsYjX5XQzRWYRj7R/1FI7qplDLXDSKzEY13J/nHQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bitdefender.onmicrosoft.com; s=selector2-bitdefender-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eePxzpxYo/MhwmgzdiCnxuBgi2bP92P+EChzn6tAxik=; b=gcWB6tVj3Ti+h4hI+55N+DC74O1njRX+V3qgHhX7fMx7Np5uqC1KODNzw2xrFiTCsxgrs1lgVEd19eS1VL/M1E0cFhAbCV1jccoUCZleJ6IfZFRvJo05uwjOjDkhsSU4dwmGAHB2LRJidvj5BTKkhqPnZvB64RKll5qV7rWmT6o= Received: from DB6PR02MB2999.eurprd02.prod.outlook.com (10.170.219.144) by DB6PR02MB3253.eurprd02.prod.outlook.com (10.170.221.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2602.12; Wed, 8 Jan 2020 14:08:34 +0000 Received: from DB6PR02MB2999.eurprd02.prod.outlook.com ([fe80::f1c2:7dd1:1131:1c1d]) by DB6PR02MB2999.eurprd02.prod.outlook.com ([fe80::f1c2:7dd1:1131:1c1d%7]) with mapi id 15.20.2623.008; Wed, 8 Jan 2020 14:08:34 +0000 Received: from aisaila-Latitude-E5570.dsd.bitdefender.biz (91.199.104.6) by AM4PR05CA0023.eurprd05.prod.outlook.com (2603:10a6:205::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9 via Frontend Transport; Wed, 8 Jan 2020 14:08:33 +0000 From: Alexandru Stefan ISAILA To: "xen-devel@lists.xenproject.org" Thread-Topic: [PATCH V7 1/4] x86/mm: Add array_index_nospec to guest provided index values Thread-Index: AQHVxi0djSZfDHZ8NkyVFOFmjVTSAQ== Date: Wed, 8 Jan 2020 14:08:34 +0000 Message-ID: <20200108140810.6528-1-aisaila@bitdefender.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: AM4PR05CA0023.eurprd05.prod.outlook.com (2603:10a6:205::36) To DB6PR02MB2999.eurprd02.prod.outlook.com (2603:10a6:6:17::16) authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@bitdefender.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.17.1 x-originating-ip: [91.199.104.6] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 03f8ea97-20cc-4620-dd44-08d794443f6c x-ms-traffictypediagnostic: DB6PR02MB3253:|DB6PR02MB3253: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:1002; x-forefront-prvs: 02760F0D1C x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(396003)(376002)(346002)(366004)(39850400004)(189003)(199004)(66446008)(16526019)(4326008)(66556008)(54906003)(8676002)(81156014)(66476007)(316002)(64756008)(81166006)(2906002)(6506007)(6512007)(6916009)(52116002)(26005)(186003)(66946007)(5660300002)(8936002)(36756003)(1076003)(956004)(2616005)(86362001)(478600001)(6486002)(71200400001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6PR02MB3253; H:DB6PR02MB2999.eurprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: bitdefender.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: oua2/h5wsv3DP9VbaM+prT0foeaawrp9jOGBOJp7hJmex+uuCDmdMSHiVwfPLeGimK3UYwg0qVblZs4mJa8NYJvfU5mTbLzqK3V9Zl4sPtfl3x0DUJfxbM6uC/p+IGkOJ8IEf8VgntLNNRWmqOn7OTw3F7bFrqJllx4Lfl/Cfjtj+emabrsEH+5FIpqZBnh83brBe19eDU80Dp2o374x+2XepsFiezrwVPp80j6UprfTl4ukTl8Eh9wNR8rpaygvTD9GqTDkukcktMxmt/EpSWBRhfE1YUNBWpXPRUYFr3/7FptwsbU8Uul9tFQpK6ZJobvVfKxoRg1YN7W9ABwe14AKg2cBT9xTR9jgEvP1olAdk7LyZMRk7lc8du9m7IrEU0OX5Sbg5eCOu/e+1b+EXUdjdPbzeglmAv8vp7LOCq4T81Vk96dvPHs+At9WeRHs Content-ID: <2C8B672076B90E4DA8CFB3165843465D@eurprd02.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: bitdefender.com X-MS-Exchange-CrossTenant-Network-Message-Id: 03f8ea97-20cc-4620-dd44-08d794443f6c X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jan 2020 14:08:34.0719 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 487baf29-f1da-469a-9221-243f830c36f3 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: lO+nZy7Kf0UyuLttj5uwZ5tJoAdgde++gqmBWnvQGM1AgnZsforjP8Z9DmrbcSgwThpm0QspeWoWti+2MK+PJOVJBJx7UM9/JD3mrHXWFJE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR02MB3253 Subject: [Xen-devel] [PATCH V7 1/4] x86/mm: Add array_index_nospec to guest provided index values X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Petre Ovidiu PIRCALABU , Kevin Tian , Tamas K Lengyel , Wei Liu , Razvan COJOCARU , George Dunlap , Andrew Cooper , Jan Beulich , Jun Nakajima , Alexandru Stefan ISAILA , =?utf-8?q?Roger_Pau_Monn?= =?utf-8?q?=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" This patch aims to sanitize indexes, potentially guest provided values, for altp2m_eptp[] and altp2m_p2m[] arrays. Requested-by: Jan Beulich Signed-off-by: Alexandru Isaila Acked-by: Tamas K Lengyel --- CC: Razvan Cojocaru CC: Tamas K Lengyel CC: Petre Pircalabu CC: George Dunlap CC: Jan Beulich CC: Andrew Cooper CC: Wei Liu CC: "Roger Pau Monné" CC: Jun Nakajima CC: Kevin Tian --- Changes since V6: - Remove stray spaces - Use ARRAY_SIZE(d->arch.altp2m_p2m) insead of MAX_ALTP2M. --- xen/arch/x86/mm/mem_access.c | 24 +++++++++++-------- xen/arch/x86/mm/p2m-ept.c | 6 +++-- xen/arch/x86/mm/p2m.c | 45 +++++++++++++++++++++++------------- 3 files changed, 48 insertions(+), 27 deletions(-) diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c index 320b9fe621..f323d885b1 100644 --- a/xen/arch/x86/mm/mem_access.c +++ b/xen/arch/x86/mm/mem_access.c @@ -366,11 +366,13 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, #ifdef CONFIG_HVM if ( altp2m_idx ) { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - ap2m = d->arch.altp2m_p2m[altp2m_idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + ARRAY_SIZE(d->arch.altp2m_p2m))]; } #else ASSERT(!altp2m_idx); @@ -425,11 +427,13 @@ long p2m_set_mem_access_multi(struct domain *d, #ifdef CONFIG_HVM if ( altp2m_idx ) { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - ap2m = d->arch.altp2m_p2m[altp2m_idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + ARRAY_SIZE(d->arch.altp2m_p2m))]; } #else ASSERT(!altp2m_idx); @@ -491,11 +495,13 @@ int p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access, } else if ( altp2m_idx ) /* altp2m view 0 is treated as the hostp2m */ { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + ARRAY_SIZE(d->arch.altp2m_p2m))]; } #else ASSERT(!altp2m_idx); diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c index b5517769c9..1c23ea6169 100644 --- a/xen/arch/x86/mm/p2m-ept.c +++ b/xen/arch/x86/mm/p2m-ept.c @@ -1353,7 +1353,9 @@ void setup_ept_dump(void) void p2m_init_altp2m_ept(struct domain *d, unsigned int i) { - struct p2m_domain *p2m = d->arch.altp2m_p2m[i]; + struct p2m_domain *p2m = d->arch. + altp2m_p2m[array_index_nospec(i, + ARRAY_SIZE(d->arch.altp2m_p2m))]; struct p2m_domain *hostp2m = p2m_get_hostp2m(d); struct ept_data *ept; @@ -1366,7 +1368,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned int i) p2m->max_mapped_pfn = p2m->max_remapped_gfn = 0; ept = &p2m->ept; ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m)); - d->arch.altp2m_eptp[i] = ept->eptp; + d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp; } unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp) diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 3119269073..5f046960a9 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -2502,7 +2502,8 @@ static void p2m_reset_altp2m(struct domain *d, unsigned int idx, struct p2m_domain *p2m; ASSERT(idx < MAX_ALTP2M); - p2m = d->arch.altp2m_p2m[idx]; + p2m = d->arch.altp2m_p2m[array_index_nospec(idx, + ARRAY_SIZE(d->arch.altp2m_p2m))]; p2m_lock(p2m); @@ -2543,7 +2544,8 @@ static int p2m_activate_altp2m(struct domain *d, unsigned int idx) ASSERT(idx < MAX_ALTP2M); - p2m = d->arch.altp2m_p2m[idx]; + p2m = d->arch.altp2m_p2m[array_index_nospec(idx, + ARRAY_SIZE(d->arch.altp2m_p2m))]; hostp2m = p2m_get_hostp2m(d); p2m_lock(p2m); @@ -2574,12 +2576,13 @@ int p2m_init_altp2m_by_id(struct domain *d, unsigned int idx) { int rc = -EINVAL; - if ( idx >= MAX_ALTP2M ) + if ( idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ) return rc; altp2m_list_lock(d); - if ( d->arch.altp2m_eptp[idx] == mfn_x(INVALID_MFN) ) + if ( d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) rc = p2m_activate_altp2m(d, idx); altp2m_list_unlock(d); @@ -2615,7 +2618,7 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx) struct p2m_domain *p2m; int rc = -EBUSY; - if ( !idx || idx >= MAX_ALTP2M ) + if ( !idx || idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ) return rc; rc = domain_pause_except_self(d); @@ -2625,14 +2628,17 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx) rc = -EBUSY; altp2m_list_lock(d); - if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) ) + if ( d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] != + mfn_x(INVALID_MFN) ) { - p2m = d->arch.altp2m_p2m[idx]; + p2m = d->arch.altp2m_p2m[array_index_nospec(idx, + ARRAY_SIZE(d->arch.altp2m_p2m))]; if ( !_atomic_read(p2m->active_vcpus) ) { p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE); - d->arch.altp2m_eptp[idx] = mfn_x(INVALID_MFN); + d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] = + mfn_x(INVALID_MFN); rc = 0; } } @@ -2689,11 +2695,14 @@ int p2m_change_altp2m_gfn(struct domain *d, unsigned int idx, mfn_t mfn; int rc = -EINVAL; - if ( idx >= MAX_ALTP2M || d->arch.altp2m_eptp[idx] == mfn_x(INVALID_MFN) ) + if ( idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return rc; hp2m = p2m_get_hostp2m(d); - ap2m = d->arch.altp2m_p2m[idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(idx, + ARRAY_SIZE(d->arch.altp2m_p2m))]; p2m_lock(hp2m); p2m_lock(ap2m); @@ -3032,11 +3041,13 @@ int p2m_set_suppress_ve(struct domain *d, gfn_t gfn, bool suppress_ve, if ( altp2m_idx > 0 ) { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = ap2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + ARRAY_SIZE(d->arch.altp2m_p2m))]; } else p2m = host_p2m; @@ -3075,11 +3086,13 @@ int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve, if ( altp2m_idx > 0 ) { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = ap2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + ARRAY_SIZE(d->arch.altp2m_p2m))]; } else p2m = host_p2m;