From patchwork Wed Mar 30 11:34:25 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Durrant <Paul.Durrant@citrix.com>
X-Patchwork-Id: 8695521
Return-Path: <xen-devel-bounces@lists.xen.org>
X-Original-To: patchwork-xen-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 282D49F39A
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 30 Mar 2016 11:48:31 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 3732220379
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 30 Mar 2016 11:48:30 +0000 (UTC)
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 3E359202F8
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 30 Mar 2016 11:48:29 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1alEZ5-0004EP-Ml; Wed, 30 Mar 2016 11:45:35 +0000
Received: from mail6.bemta6.messagelabs.com ([85.158.143.247])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=890aa2445=Paul.Durrant@citrix.com>)
	id 1alEZ4-0004EC-8R
	for xen-devel@lists.xenproject.org; Wed, 30 Mar 2016 11:45:34 +0000
Received: from [85.158.143.35] by server-1.bemta-6.messagelabs.com id
	83/56-29237-D5CBBF65; Wed, 30 Mar 2016 11:45:33 +0000
X-Env-Sender: prvs=890aa2445=Paul.Durrant@citrix.com
X-Msg-Ref: server-3.tower-21.messagelabs.com!1459338331!6078512!1
X-Originating-IP: [66.165.176.89]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 8.11; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 9731 invoked from network); 30 Mar 2016 11:45:33 -0000
Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89)
	by server-3.tower-21.messagelabs.com with RC4-SHA encrypted SMTP;
	30 Mar 2016 11:45:33 -0000
X-IronPort-AV: E=Sophos;i="5.24,415,1454976000"; d="scan'208";a="343371348"
From: Paul Durrant <paul.durrant@citrix.com>
To: <xen-devel@lists.xenproject.org>
Date: Wed, 30 Mar 2016 12:34:25 +0100
Message-ID: <1459337665-29319-1-git-send-email-paul.durrant@citrix.com>
X-Mailer: git-send-email 2.1.4
MIME-Version: 1.0
X-DLP: MIA1
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Paul Durrant <paul.durrant@citrix.com>, Keir Fraser <keir@xen.org>, Jan
	Beulich <jbeulich@suse.com>
Subject: [Xen-devel] [PATCH v3] x86/hvm/viridian: zero and check vcpu
	context __pad field
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit 57844631 "save APIC assist vector" added an extra field to the
viridian vcpu context save record. This field was only a uint8_t and
so an extra __pad field was also added to pad up to the next 64-bit
boundary.

This patch makes sure that __pad field is zeroed on save and checked
for zero on restore. This prevents a potential leak of information
from the stack and a compatibility check against future use of the
space occupied by the __pad field.

This patch also adds a memset to make sure that the viridian domain
context is fully zeroed. This is not strictly necessary but helps
make the code more robust if fields are added to that struct in
future.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Cc: Keir Fraser <keir@xen.org>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---

v3:
 - make zero_page accessible outside mm.c

v2:
 - drop is_zero() helper an use memcmp against zero_page instead.
 - add memset to viridian_save_domain_ctxt() to reduce potential
   for information leakage in future.
---
 xen/arch/x86/hvm/viridian.c | 7 +++++++
 xen/arch/x86/mm.c           | 5 +++--
 xen/include/asm-x86/mm.h    | 2 ++
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/hvm/viridian.c b/xen/arch/x86/hvm/viridian.c
index 5c76c1a..165f58e 100644
--- a/xen/arch/x86/hvm/viridian.c
+++ b/xen/arch/x86/hvm/viridian.c
@@ -785,6 +785,8 @@ static int viridian_save_domain_ctxt(struct domain *d, hvm_domain_context_t *h)
     if ( !is_viridian_domain(d) )
         return 0;
 
+    memset(&ctxt, 0, sizeof(ctxt));
+
     ctxt.time_ref_count = d->arch.hvm_domain.viridian.time_ref_count.val;
     ctxt.hypercall_gpa  = d->arch.hvm_domain.viridian.hypercall_gpa.raw;
     ctxt.guest_os_id    = d->arch.hvm_domain.viridian.guest_os_id.raw;
@@ -824,6 +826,8 @@ static int viridian_save_vcpu_ctxt(struct domain *d, hvm_domain_context_t *h)
     for_each_vcpu( d, v ) {
         struct hvm_viridian_vcpu_context ctxt;
 
+        memset(&ctxt, 0, sizeof(ctxt));
+
         ctxt.apic_assist_msr = v->arch.hvm_vcpu.viridian.apic_assist.msr.raw;
         ctxt.apic_assist_vector = v->arch.hvm_vcpu.viridian.apic_assist.vector;
 
@@ -851,6 +855,9 @@ static int viridian_load_vcpu_ctxt(struct domain *d, hvm_domain_context_t *h)
     if ( hvm_load_entry_zeroextend(VIRIDIAN_VCPU, h, &ctxt) != 0 )
         return -EINVAL;
 
+    if ( memcmp(&ctxt._pad, zero_page, sizeof(ctxt._pad)) )
+        return -EINVAL;
+
     v->arch.hvm_vcpu.viridian.apic_assist.msr.raw = ctxt.apic_assist_msr;
     if ( v->arch.hvm_vcpu.viridian.apic_assist.msr.fields.enabled )
         initialize_apic_assist(v);
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index c997b53..b8b41fa 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -589,7 +589,8 @@ static inline void guest_get_eff_kern_l1e(struct vcpu *v, unsigned long addr,
     TOGGLE_MODE();
 }
 
-static const char __section(".bss.page_aligned.const") zero_page[PAGE_SIZE];
+static const char __section(".bss.page_aligned.const") __zero_page[PAGE_SIZE];
+const char *zero_page = __zero_page;
 
 static void invalidate_shadow_ldt(struct vcpu *v, int flush)
 {
@@ -4562,7 +4563,7 @@ void destroy_gdt(struct vcpu *v)
 {
     l1_pgentry_t *pl1e;
     unsigned int i;
-    unsigned long pfn, zero_pfn = PFN_DOWN(__pa(zero_page));
+    unsigned long pfn, zero_pfn = PFN_DOWN(__pa(__zero_page));
 
     v->arch.pv_vcpu.gdt_ents = 0;
     pl1e = gdt_ldt_ptes(v->domain, v);
diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h
index b25942b..01553ab 100644
--- a/xen/include/asm-x86/mm.h
+++ b/xen/include/asm-x86/mm.h
@@ -595,4 +595,6 @@ typedef struct mm_rwlock {
                        &(d)->xenpage_list : &(d)->page_list,            \
                    &(d)->arch.relmem_list)
 
+extern const char *zero_page;
+
 #endif /* __ASM_X86_MM_H__ */