From patchwork Tue Jun 14 15:05:37 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefano Stabellini <sstabellini@kernel.org>
X-Patchwork-Id: 9176091
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	3ACCD60573 for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 14 Jun 2016 15:07:59 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2D1C027DF9
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 14 Jun 2016 15:07:59 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2093D28047; Tue, 14 Jun 2016 15:07:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7DB9227DF9
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Tue, 14 Jun 2016 15:07:58 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1bCpuX-0006QW-86; Tue, 14 Jun 2016 15:05:49 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <sstabellini@kernel.org>) id 1bCpuW-0006QP-A6
	for xen-devel@lists.xen.org; Tue, 14 Jun 2016 15:05:48 +0000
Received: from [85.158.137.68] by server-5.bemta-3.messagelabs.com id
	75/DE-02783-B4D10675; Tue, 14 Jun 2016 15:05:47 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNLMWRWlGSWpSXmKPExsVybKJsh66XbEK
	4Qd9NG4slHxezODB6HN39mymAMYo1My8pvyKBNWPr0xbWgrXiFUu7/jE2MO4U7mLk4hASmMoo
	MfvxJ1YIp5dJYurPB4xdjJwcbAKGEn+fbGIDsUUEZCQ6Ly1iBCliFljDKHFkxTsmkISwQIjE3
	40zWUFsFgFVib43PWDNvAJuEt3L14I1SwjISZw8NhmshlPAR2Jy9xugXg6gbd4SfY+0IUoyJO
	b1zGGFsL0kFt24BGWrSVw9t4l5AiPfAkaGVYwaxalFZalFuoameklFmekZJbmJmTm6hgbGerm
	pxcWJ6ak5iUnFesn5uZsYgYHCAAQ7GNds9zzEKMnBpCTKu5U5IVyILyk/pTIjsTgjvqg0J7X4
	EKMMB4eSBG+zDFBOsCg1PbUiLTMHGLIwaQkOHiURXkOQNG9xQWJucWY6ROoUo6KUOG83SEIAJ
	JFRmgfXBouTS4yyUsK8jECHCPEUpBblZpagyr9iFOdgVBLmPSQNNIUnM68EbvoroMVMQIttps
	eDLC5JREhJNTAGPk88luznsjd9W2dn6U+N/ssCXXmsOpEq3Me1V1dzMC41PPc2/sImVdaGsBs
	TF+c9uOkSHFV2MYrDSYLhdfJLOaYazyKHlF9XjBl375rS+/WX3s6/BvN+Fc+Yu76M237ij/b8
	+qM7CuTDq/R91jfcktvRN1Uw/q/Rro9PDe6GTRFUiqjQc1FiKc5INNRiLipOBACs2OHMjgIAA
	A==
X-Env-Sender: sstabellini@kernel.org
X-Msg-Ref: server-11.tower-31.messagelabs.com!1465916745!19114124!1
X-Originating-IP: [198.145.29.136]
X-SpamReason: No, hits=0.0 required=7.0 tests=
X-StarScan-Received: 
X-StarScan-Version: 8.46; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 54901 invoked from network); 14 Jun 2016 15:05:46 -0000
Received: from mail.kernel.org (HELO mail.kernel.org) (198.145.29.136)
	by server-11.tower-31.messagelabs.com with DHE-RSA-AES256-GCM-SHA384
	encrypted SMTP; 14 Jun 2016 15:05:46 -0000
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 5CF86201BB;
	Tue, 14 Jun 2016 15:05:44 +0000 (UTC)
Received: from localhost.localdomain (60.99.208.46.dyn.plus.net
	[46.208.99.60])
	(using TLSv1.2 with cipher AES128-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id 1DA0D201F4;
	Tue, 14 Jun 2016 15:05:41 +0000 (UTC)
From: Stefano Stabellini <sstabellini@kernel.org>
To: peter.maydell@linaro.org
Date: Tue, 14 Jun 2016 16:05:37 +0100
Message-Id: <1465916738-15687-1-git-send-email-sstabellini@kernel.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <alpine.DEB.2.10.1606141602430.13466@sstabellini-ThinkPad-X260>
References: <alpine.DEB.2.10.1606141602430.13466@sstabellini-ThinkPad-X260>
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: anthony.perard@citrix.com, sstabellini@kernel.org, qemu-devel@nongnu.org,
	Jan Beulich <jbeulich@suse.com>, xen-devel@lists.xen.org
Subject: [Xen-devel] [PULL 1/2] xen/blkif: avoid double access to any shared
	ring request fields
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Jan Beulich <JBeulich@suse.com>

Commit f9e98e5d7a ("xen/blkif: Avoid double access to
src->nr_segments") didn't go far enough: src->operation is also being
used twice. And nothing was done to prevent the compiler from using the
source side of the copy done by blk_get_request() (granted that's very
unlikely).

Move the barrier()s up, and add another one to blk_get_request().

Note that for completing XSA-155, the barrier() getting added to
blk_get_request() would suffice, and hence the changes to xen_blkif.h
are more like just cleanup. And since, as said, the unpatched code
getting compiled to something vulnerable is very unlikely (and not
observed in practice), this isn't being viewed as a new security issue.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
---
 hw/block/xen_blkif.h | 12 ++++++------
 hw/block/xen_disk.c  |  2 ++
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h
index c68487cb..e3b133b 100644
--- a/hw/block/xen_blkif.h
+++ b/hw/block/xen_blkif.h
@@ -79,14 +79,14 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque
 	dst->handle = src->handle;
 	dst->id = src->id;
 	dst->sector_number = src->sector_number;
-	if (src->operation == BLKIF_OP_DISCARD) {
+	/* Prevent the compiler from using src->... instead. */
+	barrier();
+	if (dst->operation == BLKIF_OP_DISCARD) {
 		struct blkif_request_discard *s = (void *)src;
 		struct blkif_request_discard *d = (void *)dst;
 		d->nr_sectors = s->nr_sectors;
 		return;
 	}
-	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
-	barrier();
 	if (n > dst->nr_segments)
 		n = dst->nr_segments;
 	for (i = 0; i < n; i++)
@@ -102,14 +102,14 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque
 	dst->handle = src->handle;
 	dst->id = src->id;
 	dst->sector_number = src->sector_number;
-	if (src->operation == BLKIF_OP_DISCARD) {
+	/* Prevent the compiler from using src->... instead. */
+	barrier();
+	if (dst->operation == BLKIF_OP_DISCARD) {
 		struct blkif_request_discard *s = (void *)src;
 		struct blkif_request_discard *d = (void *)dst;
 		d->nr_sectors = s->nr_sectors;
 		return;
 	}
-	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
-	barrier();
 	if (n > dst->nr_segments)
 		n = dst->nr_segments;
 	for (i = 0; i < n; i++)
diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index 064c116..cf57814 100644
--- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c
@@ -679,6 +679,8 @@ static int blk_get_request(struct XenBlkDev *blkdev, struct ioreq *ioreq, RING_I
                              RING_GET_REQUEST(&blkdev->rings.x86_64_part, rc));
         break;
     }
+    /* Prevent the compiler from accessing the on-ring fields instead. */
+    barrier();
     return 0;
 }