From patchwork Fri Jan 17 13:31:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Alexandru Stefan ISAILA X-Patchwork-Id: 11339023 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 66F5714B7 for ; Fri, 17 Jan 2020 13:32:45 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 364ED206B7 for ; Fri, 17 Jan 2020 13:32:45 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=bitdefender.onmicrosoft.com header.i=@bitdefender.onmicrosoft.com header.b="W1sU4J1S" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 364ED206B7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=bitdefender.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1isRik-0004AM-Bl; Fri, 17 Jan 2020 13:31:30 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1isRij-0004AH-Ho for xen-devel@lists.xenproject.org; Fri, 17 Jan 2020 13:31:29 +0000 X-Inumbo-ID: aa1986e0-392d-11ea-9fd7-bc764e2007e4 Received: from EUR05-AM6-obe.outbound.protection.outlook.com (unknown [2a01:111:f400:7e1b::718]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id aa1986e0-392d-11ea-9fd7-bc764e2007e4; Fri, 17 Jan 2020 13:31:28 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=csEUq7fpohHn1teavYa3FrWS7AFenyaIquBCuY5hm6Px7SwW3sYcUt1zAYAOeace0qqNcDoba/GHCIjZeX5TM7JVajMMq/FdYg8FEI+hV6UTdanooynuLHlsdxXg9dxs3jKKJaanyZfYQUKizv9wqXJQpDAG5o0tIPS70rHLTXGnK22mM1ehBA40cSzFk35oqvFYFxqkgJGpgi95K1qpY6URRhbSASOMAMyRfwRCYW2mKhmy2dGu3bLOCuO7XSBef6CdYjzsyvMZcUc66t5CTOhcLwqw83b3pmGAPrK+QWIAssyARnMFSpd6xOJv3H2gbNORyHfRJ3uZg14NFuEZAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ldElNgkacO1dJqZEmB9c0GFsYpfucd+SOQN8qtwKsdM=; b=aDNnUjIE/zngG1b+eL9vJCnhmbUGas0uQxNtummq2VqpNZDeDfKjaeu6m4O41TC2NEFOedSNwWu/xZPhDDKbRgkxC6QqYqwnA6l4j6Aq/HYISQmlgiOnwOf/rsPvoGQFIIcR2g5tpCt9pSsJ6eLOsrvzsNq5V7E8iDs6AQcWPDJjAvRg6wCwuJoa5m1ghdj1RSWGCQIPunkihqCDwBjlB025Cfe16Spdd5upupKiWNWzR6uCLLfk5u1lz+AqS9jWDWH+KpZhfJK6FgW1IcDZTlI7ScEJoMa33l18ESvvnxpACKuIn8qJXVEZxGASUNpO9tN8x4vD7uJ+OG4JF0BmvQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bitdefender.onmicrosoft.com; s=selector2-bitdefender-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ldElNgkacO1dJqZEmB9c0GFsYpfucd+SOQN8qtwKsdM=; b=W1sU4J1SICy/JjHYElk81nrlsvfY+3mxE7x2AY9yzIB7Mhn/tyehoDTvvAD7U6eZLFcOSW7ZQo3GR4vPJQuL/SB7njH+zVbmhKKcfTOjrdgk2cKdKaPXbGGih1QiG3tJpmtaUyY8G/Y+MYtXaLAcZeVH7hkcckJ2HNhLGTERKlA= Received: from DB6PR02MB2999.eurprd02.prod.outlook.com (10.170.219.144) by DB6PR02MB3207.eurprd02.prod.outlook.com (10.175.234.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.18; Fri, 17 Jan 2020 13:31:26 +0000 Received: from DB6PR02MB2999.eurprd02.prod.outlook.com ([fe80::f1c2:7dd1:1131:1c1d]) by DB6PR02MB2999.eurprd02.prod.outlook.com ([fe80::f1c2:7dd1:1131:1c1d%7]) with mapi id 15.20.2644.023; Fri, 17 Jan 2020 13:31:26 +0000 Received: from aisaila-Latitude-E5570.dsd.bitdefender.biz (91.199.104.6) by AM0PR0402CA0004.eurprd04.prod.outlook.com (2603:10a6:208:15::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.20 via Frontend Transport; Fri, 17 Jan 2020 13:31:25 +0000 From: Alexandru Stefan ISAILA To: "xen-devel@lists.xenproject.org" Thread-Topic: [PATCH V8 1/4] x86/mm: Add array_index_nospec to guest provided index values Thread-Index: AQHVzTpq9xGBjBauhkySgHgyCm4sbQ== Date: Fri, 17 Jan 2020 13:31:26 +0000 Message-ID: <20200117133059.14602-1-aisaila@bitdefender.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: AM0PR0402CA0004.eurprd04.prod.outlook.com (2603:10a6:208:15::17) To DB6PR02MB2999.eurprd02.prod.outlook.com (2603:10a6:6:17::16) authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@bitdefender.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.17.1 x-originating-ip: [91.199.104.6] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 48b6800d-aa63-4a45-752e-08d79b518d37 x-ms-traffictypediagnostic: DB6PR02MB3207:|DB6PR02MB3207: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:1002; x-forefront-prvs: 0285201563 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(396003)(366004)(136003)(39850400004)(199004)(189003)(71200400001)(1076003)(52116002)(956004)(2616005)(66476007)(66556008)(36756003)(66446008)(64756008)(54906003)(478600001)(86362001)(6486002)(5660300002)(4326008)(8936002)(316002)(16526019)(66946007)(81156014)(26005)(81166006)(186003)(6916009)(8676002)(2906002)(6512007)(6506007); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6PR02MB3207; H:DB6PR02MB2999.eurprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: bitdefender.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: IRrOVVpTv7jEM5Aomevq17TEUqbStBjkdk9DPuoflmMIj22xhufeux7VMQh2Zuv8vL/mvWM3Xn6YUNoNwekDaAhKH4r6X1w82qxovSgtrqlSVdvg2M6ILqGRn8oFq+qPWkUldDhW4grk9bQ4Oyg7Sg9/LzpCNdkkf7UZiKBfE4D9RqIZKjOYEzshtXSim9Wdf7D06+zIdCQzGxZSV1un9jPr8dyvThTCJJTBrPYunLardQ2FtJa/5booG2Hrg09h8tsA4a1T00mYj4hRXUQoN4bnf1CKqo6tlfI6ALlS3GiW0mk/HG4Rt+tvF3ecosTXVSLNG+vTmz4DorNHdhbgHzua2lRSk2zUsBLk1B2KmM50cN/WIkmj/tJHg3MocqdHhzuYsKNXQO+7ArDt5gqKQz+u/E9MGl/NaWfFmNxWfNkBMb0fTdes7igNRxYpDYS1 Content-ID: MIME-Version: 1.0 X-OriginatorOrg: bitdefender.com X-MS-Exchange-CrossTenant-Network-Message-Id: 48b6800d-aa63-4a45-752e-08d79b518d37 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jan 2020 13:31:26.1611 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 487baf29-f1da-469a-9221-243f830c36f3 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: dyCZYRG57P8eFE/AYapyVzmmQsgOsAluSa7Q8/A1C51SNdtHH9aaF8pm0VflFoiuULuMUagvB9hcxQNU0pYT/LYiybDrk4C+niIhWxO0YRI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR02MB3207 Subject: [Xen-devel] [PATCH V8 1/4] x86/mm: Add array_index_nospec to guest provided index values X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Petre Ovidiu PIRCALABU , Kevin Tian , Tamas K Lengyel , Wei Liu , Razvan COJOCARU , George Dunlap , Andrew Cooper , Jan Beulich , Jun Nakajima , Alexandru Stefan ISAILA , =?utf-8?q?Roger_Pau_Monn?= =?utf-8?q?=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" This patch aims to sanitize indexes, potentially guest provided values, for altp2m_eptp[] and altp2m_p2m[] arrays. Requested-by: Jan Beulich Signed-off-by: Alexandru Isaila Acked-by: Tamas K Lengyel Reviewed-by: Jan Beulich Reviewed-by: Petre Pircalabu Acked-by: George Dunlap --- CC: Razvan Cojocaru CC: Tamas K Lengyel CC: Petre Pircalabu CC: George Dunlap CC: Jan Beulich CC: Andrew Cooper CC: Wei Liu CC: "Roger Pau Monné" CC: Jun Nakajima CC: Kevin Tian --- Changes since V7: - Make use of array_access_nospec() over array_index_nospec(altp2m_idx, ARRAY_SIZE(d->arch.altp2m_p2m). --- xen/arch/x86/mm/mem_access.c | 21 ++++++++++--------- xen/arch/x86/mm/p2m-ept.c | 4 ++-- xen/arch/x86/mm/p2m.c | 39 +++++++++++++++++++++--------------- 3 files changed, 37 insertions(+), 27 deletions(-) diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c index 320b9fe621..31ff826393 100644 --- a/xen/arch/x86/mm/mem_access.c +++ b/xen/arch/x86/mm/mem_access.c @@ -366,11 +366,12 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, #ifdef CONFIG_HVM if ( altp2m_idx ) { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - ap2m = d->arch.altp2m_p2m[altp2m_idx]; + ap2m = array_access_nospec(d->arch.altp2m_p2m, altp2m_idx); } #else ASSERT(!altp2m_idx); @@ -425,11 +426,12 @@ long p2m_set_mem_access_multi(struct domain *d, #ifdef CONFIG_HVM if ( altp2m_idx ) { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - ap2m = d->arch.altp2m_p2m[altp2m_idx]; + ap2m = array_access_nospec(d->arch.altp2m_p2m, altp2m_idx); } #else ASSERT(!altp2m_idx); @@ -491,11 +493,12 @@ int p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access, } else if ( altp2m_idx ) /* altp2m view 0 is treated as the hostp2m */ { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = array_access_nospec(d->arch.altp2m_p2m, altp2m_idx); } #else ASSERT(!altp2m_idx); diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c index b5517769c9..b078a9a59e 100644 --- a/xen/arch/x86/mm/p2m-ept.c +++ b/xen/arch/x86/mm/p2m-ept.c @@ -1353,7 +1353,7 @@ void setup_ept_dump(void) void p2m_init_altp2m_ept(struct domain *d, unsigned int i) { - struct p2m_domain *p2m = d->arch.altp2m_p2m[i]; + struct p2m_domain *p2m = array_access_nospec(d->arch.altp2m_p2m, i); struct p2m_domain *hostp2m = p2m_get_hostp2m(d); struct ept_data *ept; @@ -1366,7 +1366,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned int i) p2m->max_mapped_pfn = p2m->max_remapped_gfn = 0; ept = &p2m->ept; ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m)); - d->arch.altp2m_eptp[i] = ept->eptp; + d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp; } unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp) diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 3119269073..00b24342fc 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -2502,7 +2502,7 @@ static void p2m_reset_altp2m(struct domain *d, unsigned int idx, struct p2m_domain *p2m; ASSERT(idx < MAX_ALTP2M); - p2m = d->arch.altp2m_p2m[idx]; + p2m = array_access_nospec(d->arch.altp2m_p2m, idx); p2m_lock(p2m); @@ -2543,7 +2543,7 @@ static int p2m_activate_altp2m(struct domain *d, unsigned int idx) ASSERT(idx < MAX_ALTP2M); - p2m = d->arch.altp2m_p2m[idx]; + p2m = array_access_nospec(d->arch.altp2m_p2m, idx); hostp2m = p2m_get_hostp2m(d); p2m_lock(p2m); @@ -2574,12 +2574,13 @@ int p2m_init_altp2m_by_id(struct domain *d, unsigned int idx) { int rc = -EINVAL; - if ( idx >= MAX_ALTP2M ) + if ( idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ) return rc; altp2m_list_lock(d); - if ( d->arch.altp2m_eptp[idx] == mfn_x(INVALID_MFN) ) + if ( d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) rc = p2m_activate_altp2m(d, idx); altp2m_list_unlock(d); @@ -2615,7 +2616,7 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx) struct p2m_domain *p2m; int rc = -EBUSY; - if ( !idx || idx >= MAX_ALTP2M ) + if ( !idx || idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) ) return rc; rc = domain_pause_except_self(d); @@ -2625,14 +2626,16 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx) rc = -EBUSY; altp2m_list_lock(d); - if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) ) + if ( d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] != + mfn_x(INVALID_MFN) ) { - p2m = d->arch.altp2m_p2m[idx]; + p2m = array_access_nospec(d->arch.altp2m_p2m, idx); if ( !_atomic_read(p2m->active_vcpus) ) { p2m_reset_altp2m(d, idx, ALTP2M_DEACTIVATE); - d->arch.altp2m_eptp[idx] = mfn_x(INVALID_MFN); + d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] = + mfn_x(INVALID_MFN); rc = 0; } } @@ -2689,11 +2692,13 @@ int p2m_change_altp2m_gfn(struct domain *d, unsigned int idx, mfn_t mfn; int rc = -EINVAL; - if ( idx >= MAX_ALTP2M || d->arch.altp2m_eptp[idx] == mfn_x(INVALID_MFN) ) + if ( idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return rc; hp2m = p2m_get_hostp2m(d); - ap2m = d->arch.altp2m_p2m[idx]; + ap2m = array_access_nospec(d->arch.altp2m_p2m, idx); p2m_lock(hp2m); p2m_lock(ap2m); @@ -3032,11 +3037,12 @@ int p2m_set_suppress_ve(struct domain *d, gfn_t gfn, bool suppress_ve, if ( altp2m_idx > 0 ) { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = ap2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = ap2m = array_access_nospec(d->arch.altp2m_p2m, altp2m_idx); } else p2m = host_p2m; @@ -3075,11 +3081,12 @@ int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve, if ( altp2m_idx > 0 ) { - if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_p2m), MAX_EPTP) || + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = ap2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = ap2m = array_access_nospec(d->arch.altp2m_p2m, altp2m_idx); } else p2m = host_p2m;