| Message ID | 20191219094236.22002-1-aisaila@bitdefender.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [V5,1/4] x86/mm: Add array_index_nospec to guest provided index values | expand |
On 19.12.2019 10:42, Alexandru Stefan ISAILA wrote: > This patch aims to sanitize indexes, potentially guest provided > values, for altp2m_eptp[] and altp2m_p2m[] arrays. > > Requested-by: Jan Beulich <jbeulich@suse.com> > Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> > --- > CC: Razvan Cojocaru <rcojocaru@bitdefender.com> > CC: Tamas K Lengyel <tamas@tklengyel.com> > CC: Petre Pircalabu <ppircalabu@bitdefender.com> > CC: George Dunlap <george.dunlap@eu.citrix.com> > CC: Jan Beulich <jbeulich@suse.com> > CC: Andrew Cooper <andrew.cooper3@citrix.com> > CC: Wei Liu <wl@xen.org> > CC: "Roger Pau Monné" <roger.pau@citrix.com> > CC: Jun Nakajima <jun.nakajima@intel.com> > CC: Kevin Tian <kevin.tian@intel.com> > --- > Changes since V4: > - Change bounds check from MAX_EPTP to MAX_ALTP2M > - Move array_index_nospec() closer to the bounds check. > --- > xen/arch/x86/mm/mem_access.c | 15 +++++++++------ > xen/arch/x86/mm/p2m.c | 20 ++++++++++++++------ > 2 files changed, 23 insertions(+), 12 deletions(-) > > diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c > index 320b9fe621..33e379db8f 100644 > --- a/xen/arch/x86/mm/mem_access.c > +++ b/xen/arch/x86/mm/mem_access.c > @@ -367,10 +367,11 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, > if ( altp2m_idx ) > { > if ( altp2m_idx >= MAX_ALTP2M || > - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) > + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == As implied by a reply to v4, this is still latently buggy: There's no guarantee anyone will notice the issue here when bumping MAX_ALTP2M past MAX_EPTP. The only future proof thing to do here is, as suggested, using some form of min(MAX_ALTP2M, MAX_EPTP) in the actual bounds check. Then each array access itself can be made use the correct bound. In fact you'd probably have noticed this if you had made use of array_access_nospec() where possible (which also would help readability) - apparently not here, but ... > + mfn_x(INVALID_MFN) ) > return -EINVAL; > > - ap2m = d->arch.altp2m_p2m[altp2m_idx]; > + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; ... here. The min() suggested above would then better become min(ARRAY_SIZE(d->arch.altp2m_eptp), MAX_EPTP), which I think would then even compile cleanly (the apparently simpler form above wouldn't as is afaict). > --- a/xen/arch/x86/mm/p2m.c > +++ b/xen/arch/x86/mm/p2m.c > @@ -2574,6 +2574,7 @@ int p2m_init_altp2m_by_id(struct domain *d, unsigned int idx) > if ( idx >= MAX_ALTP2M ) > return rc; > > + idx = array_index_nospec(idx, MAX_ALTP2M); > altp2m_list_lock(d); I wouldn't object to there being no blank line between the if() and the line you add, but you surely want a blank line ahead of the unrelated lock acquire (similarly at least once more below). Jan
On 19.12.2019 12:43, Jan Beulich wrote: > On 19.12.2019 10:42, Alexandru Stefan ISAILA wrote: >> This patch aims to sanitize indexes, potentially guest provided >> values, for altp2m_eptp[] and altp2m_p2m[] arrays. >> >> Requested-by: Jan Beulich <jbeulich@suse.com> >> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> >> --- >> CC: Razvan Cojocaru <rcojocaru@bitdefender.com> >> CC: Tamas K Lengyel <tamas@tklengyel.com> >> CC: Petre Pircalabu <ppircalabu@bitdefender.com> >> CC: George Dunlap <george.dunlap@eu.citrix.com> >> CC: Jan Beulich <jbeulich@suse.com> >> CC: Andrew Cooper <andrew.cooper3@citrix.com> >> CC: Wei Liu <wl@xen.org> >> CC: "Roger Pau Monné" <roger.pau@citrix.com> >> CC: Jun Nakajima <jun.nakajima@intel.com> >> CC: Kevin Tian <kevin.tian@intel.com> >> --- >> Changes since V4: >> - Change bounds check from MAX_EPTP to MAX_ALTP2M >> - Move array_index_nospec() closer to the bounds check. >> --- >> xen/arch/x86/mm/mem_access.c | 15 +++++++++------ >> xen/arch/x86/mm/p2m.c | 20 ++++++++++++++------ >> 2 files changed, 23 insertions(+), 12 deletions(-) >> >> diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c >> index 320b9fe621..33e379db8f 100644 >> --- a/xen/arch/x86/mm/mem_access.c >> +++ b/xen/arch/x86/mm/mem_access.c >> @@ -367,10 +367,11 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, >> if ( altp2m_idx ) >> { >> if ( altp2m_idx >= MAX_ALTP2M || Ok, so have if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_eptp), MAX_EPTP) || here and then... >> - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) >> + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == have MAX_EPTP here and ... > > As implied by a reply to v4, this is still latently buggy: There's > no guarantee anyone will notice the issue here when bumping > MAX_ALTP2M past MAX_EPTP. The only future proof thing to do here > is, as suggested, using some form of min(MAX_ALTP2M, MAX_EPTP) in > the actual bounds check. Then each array access itself can be made > use the correct bound. In fact you'd probably have noticed this if > you had made use of array_access_nospec() where possible (which > also would help readability) - apparently not here, but ... > >> + mfn_x(INVALID_MFN) ) >> return -EINVAL; >> >> - ap2m = d->arch.altp2m_p2m[altp2m_idx]; >> + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; MAX_ALTP2M here ? Alex
On 20.12.2019 10:09, Alexandru Stefan ISAILA wrote: > > > On 19.12.2019 12:43, Jan Beulich wrote: >> On 19.12.2019 10:42, Alexandru Stefan ISAILA wrote: >>> This patch aims to sanitize indexes, potentially guest provided >>> values, for altp2m_eptp[] and altp2m_p2m[] arrays. >>> >>> Requested-by: Jan Beulich <jbeulich@suse.com> >>> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> >>> --- >>> CC: Razvan Cojocaru <rcojocaru@bitdefender.com> >>> CC: Tamas K Lengyel <tamas@tklengyel.com> >>> CC: Petre Pircalabu <ppircalabu@bitdefender.com> >>> CC: George Dunlap <george.dunlap@eu.citrix.com> >>> CC: Jan Beulich <jbeulich@suse.com> >>> CC: Andrew Cooper <andrew.cooper3@citrix.com> >>> CC: Wei Liu <wl@xen.org> >>> CC: "Roger Pau Monné" <roger.pau@citrix.com> >>> CC: Jun Nakajima <jun.nakajima@intel.com> >>> CC: Kevin Tian <kevin.tian@intel.com> >>> --- >>> Changes since V4: >>> - Change bounds check from MAX_EPTP to MAX_ALTP2M >>> - Move array_index_nospec() closer to the bounds check. >>> --- >>> xen/arch/x86/mm/mem_access.c | 15 +++++++++------ >>> xen/arch/x86/mm/p2m.c | 20 ++++++++++++++------ >>> 2 files changed, 23 insertions(+), 12 deletions(-) >>> >>> diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c >>> index 320b9fe621..33e379db8f 100644 >>> --- a/xen/arch/x86/mm/mem_access.c >>> +++ b/xen/arch/x86/mm/mem_access.c >>> @@ -367,10 +367,11 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, >>> if ( altp2m_idx ) >>> { >>> if ( altp2m_idx >= MAX_ALTP2M || > > Ok, so have if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_eptp), > MAX_EPTP) || > here and then... > >>> - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) >>> + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == > > have MAX_EPTP here and ... > >> >> As implied by a reply to v4, this is still latently buggy: There's >> no guarantee anyone will notice the issue here when bumping >> MAX_ALTP2M past MAX_EPTP. The only future proof thing to do here >> is, as suggested, using some form of min(MAX_ALTP2M, MAX_EPTP) in >> the actual bounds check. Then each array access itself can be made >> use the correct bound. In fact you'd probably have noticed this if >> you had made use of array_access_nospec() where possible (which >> also would help readability) - apparently not here, but ... > >>> + mfn_x(INVALID_MFN) ) >>> return -EINVAL; >>> >>> - ap2m = d->arch.altp2m_p2m[altp2m_idx]; >>> + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; > > MAX_ALTP2M here ? Yes, that's how I think it ought to be. Give others a chance to disagree with me, though. Jan
On 20.12.2019 11:39, Jan Beulich wrote: > On 20.12.2019 10:09, Alexandru Stefan ISAILA wrote: >> >> >> On 19.12.2019 12:43, Jan Beulich wrote: >>> On 19.12.2019 10:42, Alexandru Stefan ISAILA wrote: >>>> This patch aims to sanitize indexes, potentially guest provided >>>> values, for altp2m_eptp[] and altp2m_p2m[] arrays. >>>> >>>> Requested-by: Jan Beulich <jbeulich@suse.com> >>>> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> >>>> --- >>>> CC: Razvan Cojocaru <rcojocaru@bitdefender.com> >>>> CC: Tamas K Lengyel <tamas@tklengyel.com> >>>> CC: Petre Pircalabu <ppircalabu@bitdefender.com> >>>> CC: George Dunlap <george.dunlap@eu.citrix.com> >>>> CC: Jan Beulich <jbeulich@suse.com> >>>> CC: Andrew Cooper <andrew.cooper3@citrix.com> >>>> CC: Wei Liu <wl@xen.org> >>>> CC: "Roger Pau Monné" <roger.pau@citrix.com> >>>> CC: Jun Nakajima <jun.nakajima@intel.com> >>>> CC: Kevin Tian <kevin.tian@intel.com> >>>> --- >>>> Changes since V4: >>>> - Change bounds check from MAX_EPTP to MAX_ALTP2M >>>> - Move array_index_nospec() closer to the bounds check. >>>> --- >>>> xen/arch/x86/mm/mem_access.c | 15 +++++++++------ >>>> xen/arch/x86/mm/p2m.c | 20 ++++++++++++++------ >>>> 2 files changed, 23 insertions(+), 12 deletions(-) >>>> >>>> diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c >>>> index 320b9fe621..33e379db8f 100644 >>>> --- a/xen/arch/x86/mm/mem_access.c >>>> +++ b/xen/arch/x86/mm/mem_access.c >>>> @@ -367,10 +367,11 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, >>>> if ( altp2m_idx ) >>>> { >>>> if ( altp2m_idx >= MAX_ALTP2M || >> >> Ok, so have if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_eptp), >> MAX_EPTP) || >> here and then... >> >>>> - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) >>>> + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == >> >> have MAX_EPTP here and ... >> >>> >>> As implied by a reply to v4, this is still latently buggy: There's >>> no guarantee anyone will notice the issue here when bumping >>> MAX_ALTP2M past MAX_EPTP. The only future proof thing to do here >>> is, as suggested, using some form of min(MAX_ALTP2M, MAX_EPTP) in >>> the actual bounds check. Then each array access itself can be made >>> use the correct bound. In fact you'd probably have noticed this if >>> you had made use of array_access_nospec() where possible (which >>> also would help readability) - apparently not here, but ... > >>>> + mfn_x(INVALID_MFN) ) >>>> return -EINVAL; >>>> >>>> - ap2m = d->arch.altp2m_p2m[altp2m_idx]; >>>> + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; >> >> MAX_ALTP2M here ? > > Yes, that's how I think it ought to be. Give others a chance to > disagree with me, though. > There is a slight problem with using (ARRAY_SIZE(..)) it will give "error: static assertion failed:" on __must_be_array(x) because d->arch.altp2m_eptp is not static. Alex
On 20.12.2019 12:49, Alexandru Stefan ISAILA wrote: > > > On 20.12.2019 11:39, Jan Beulich wrote: >> On 20.12.2019 10:09, Alexandru Stefan ISAILA wrote: >>> >>> >>> On 19.12.2019 12:43, Jan Beulich wrote: >>>> On 19.12.2019 10:42, Alexandru Stefan ISAILA wrote: >>>>> This patch aims to sanitize indexes, potentially guest provided >>>>> values, for altp2m_eptp[] and altp2m_p2m[] arrays. >>>>> >>>>> Requested-by: Jan Beulich <jbeulich@suse.com> >>>>> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> >>>>> --- >>>>> CC: Razvan Cojocaru <rcojocaru@bitdefender.com> >>>>> CC: Tamas K Lengyel <tamas@tklengyel.com> >>>>> CC: Petre Pircalabu <ppircalabu@bitdefender.com> >>>>> CC: George Dunlap <george.dunlap@eu.citrix.com> >>>>> CC: Jan Beulich <jbeulich@suse.com> >>>>> CC: Andrew Cooper <andrew.cooper3@citrix.com> >>>>> CC: Wei Liu <wl@xen.org> >>>>> CC: "Roger Pau Monné" <roger.pau@citrix.com> >>>>> CC: Jun Nakajima <jun.nakajima@intel.com> >>>>> CC: Kevin Tian <kevin.tian@intel.com> >>>>> --- >>>>> Changes since V4: >>>>> - Change bounds check from MAX_EPTP to MAX_ALTP2M >>>>> - Move array_index_nospec() closer to the bounds check. >>>>> --- >>>>> xen/arch/x86/mm/mem_access.c | 15 +++++++++------ >>>>> xen/arch/x86/mm/p2m.c | 20 ++++++++++++++------ >>>>> 2 files changed, 23 insertions(+), 12 deletions(-) >>>>> >>>>> diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c >>>>> index 320b9fe621..33e379db8f 100644 >>>>> --- a/xen/arch/x86/mm/mem_access.c >>>>> +++ b/xen/arch/x86/mm/mem_access.c >>>>> @@ -367,10 +367,11 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, >>>>> if ( altp2m_idx ) >>>>> { >>>>> if ( altp2m_idx >= MAX_ALTP2M || >>> >>> Ok, so have if ( altp2m_idx >= min(ARRAY_SIZE(d->arch.altp2m_eptp), >>> MAX_EPTP) || >>> here and then... The 1st arg to min() equals the 2nd, which is ... >>>>> - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) >>>>> + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == >>> >>> have MAX_EPTP here and ... >>> >>>> >>>> As implied by a reply to v4, this is still latently buggy: There's >>>> no guarantee anyone will notice the issue here when bumping >>>> MAX_ALTP2M past MAX_EPTP. The only future proof thing to do here >>>> is, as suggested, using some form of min(MAX_ALTP2M, MAX_EPTP) in >>>> the actual bounds check. Then each array access itself can be made >>>> use the correct bound. In fact you'd probably have noticed this if >>>> you had made use of array_access_nospec() where possible (which >>>> also would help readability) - apparently not here, but ... > >>>>> + mfn_x(INVALID_MFN) ) >>>>> return -EINVAL; >>>>> >>>>> - ap2m = d->arch.altp2m_p2m[altp2m_idx]; >>>>> + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; >>> >>> MAX_ALTP2M here ? >> >> Yes, that's how I think it ought to be. Give others a chance to >> disagree with me, though. >> > > There is a slight problem with using (ARRAY_SIZE(..)) it will give > "error: static assertion failed:" on __must_be_array(x) because > d->arch.altp2m_eptp is not static. ... causing this. Once you use the correct array above, I think things will work. Jan
diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c index 320b9fe621..33e379db8f 100644 --- a/xen/arch/x86/mm/mem_access.c +++ b/xen/arch/x86/mm/mem_access.c @@ -367,10 +367,11 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, if ( altp2m_idx ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - ap2m = d->arch.altp2m_p2m[altp2m_idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; } #else ASSERT(!altp2m_idx); @@ -426,10 +427,11 @@ long p2m_set_mem_access_multi(struct domain *d, if ( altp2m_idx ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - ap2m = d->arch.altp2m_p2m[altp2m_idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; } #else ASSERT(!altp2m_idx); @@ -492,10 +494,11 @@ int p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access, else if ( altp2m_idx ) /* altp2m view 0 is treated as the hostp2m */ { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; } #else ASSERT(!altp2m_idx); diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index ba126f790a..16039c7a57 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -2574,6 +2574,7 @@ int p2m_init_altp2m_by_id(struct domain *d, unsigned int idx) if ( idx >= MAX_ALTP2M ) return rc; + idx = array_index_nospec(idx, MAX_ALTP2M); altp2m_list_lock(d); if ( d->arch.altp2m_eptp[idx] == mfn_x(INVALID_MFN) ) @@ -2615,6 +2616,7 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx) if ( !idx || idx >= MAX_ALTP2M ) return rc; + idx = array_index_nospec(idx, MAX_ALTP2M); rc = domain_pause_except_self(d); if ( rc ) return rc; @@ -2686,11 +2688,13 @@ int p2m_change_altp2m_gfn(struct domain *d, unsigned int idx, mfn_t mfn; int rc = -EINVAL; - if ( idx >= MAX_ALTP2M || d->arch.altp2m_eptp[idx] == mfn_x(INVALID_MFN) ) + if ( idx >= MAX_ALTP2M || + d->arch.altp2m_eptp[array_index_nospec(idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return rc; hp2m = p2m_get_hostp2m(d); - ap2m = d->arch.altp2m_p2m[idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(idx, MAX_ALTP2M)]; p2m_lock(hp2m); p2m_lock(ap2m); @@ -3030,10 +3034,12 @@ int p2m_set_suppress_ve(struct domain *d, gfn_t gfn, bool suppress_ve, if ( altp2m_idx > 0 ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = ap2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + MAX_ALTP2M)]; } else p2m = host_p2m; @@ -3073,10 +3079,12 @@ int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve, if ( altp2m_idx > 0 ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = ap2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + MAX_ALTP2M)]; } else p2m = host_p2m;
This patch aims to sanitize indexes, potentially guest provided values, for altp2m_eptp[] and altp2m_p2m[] arrays. Requested-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Alexandru Isaila <aisaila@bitdefender.com> --- CC: Razvan Cojocaru <rcojocaru@bitdefender.com> CC: Tamas K Lengyel <tamas@tklengyel.com> CC: Petre Pircalabu <ppircalabu@bitdefender.com> CC: George Dunlap <george.dunlap@eu.citrix.com> CC: Jan Beulich <jbeulich@suse.com> CC: Andrew Cooper <andrew.cooper3@citrix.com> CC: Wei Liu <wl@xen.org> CC: "Roger Pau Monné" <roger.pau@citrix.com> CC: Jun Nakajima <jun.nakajima@intel.com> CC: Kevin Tian <kevin.tian@intel.com> --- Changes since V4: - Change bounds check from MAX_EPTP to MAX_ALTP2M - Move array_index_nospec() closer to the bounds check. --- xen/arch/x86/mm/mem_access.c | 15 +++++++++------ xen/arch/x86/mm/p2m.c | 20 ++++++++++++++------ 2 files changed, 23 insertions(+), 12 deletions(-)