From patchwork Tue Dec 17 15:12:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Alexandru Stefan ISAILA X-Patchwork-Id: 11297887 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7E616112B for ; Tue, 17 Dec 2019 15:13:33 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4D0F52146E for ; Tue, 17 Dec 2019 15:13:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=bitdefender.onmicrosoft.com header.i=@bitdefender.onmicrosoft.com header.b="CApFzyrk" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4D0F52146E Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=bitdefender.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1ihEWZ-0008AX-0q; Tue, 17 Dec 2019 15:12:35 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1ihEWX-0008AO-Bv for xen-devel@lists.xenproject.org; Tue, 17 Dec 2019 15:12:33 +0000 X-Inumbo-ID: a09117b6-20df-11ea-b6f1-bc764e2007e4 Received: from EUR03-VE1-obe.outbound.protection.outlook.com (unknown [40.107.5.102]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id a09117b6-20df-11ea-b6f1-bc764e2007e4; Tue, 17 Dec 2019 15:12:23 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R62Ng1T0L5ZBK1oUbMvt2wJqtdmoKkcVI0Uo45hQS5Rqg4EpxMPSrkBGT48tfKzNEvMB4u4okOEoWpUB1R0ydUuuEqyYEjk4pmWEIXepTZRLIqYKD+O5r3VIwwaWAJK4qArX+WC4Uxywpf7j9LHJkTePd/iGhjUhoHNGBWkFMSVCKBCgIwqQygLc7Vg0/8rwSYTw5lzRxN0pV7wTrbhmgPpQoaGLw7wOoJp4xABKWmTfgzgx0WJIXgLwHK0ELvviBhPMR6seskVs/uYPjxZF06W3LEsxqSyBULNMuqYxpG9WvGJ3gaW3D/cV9atpueOmvYkway5iihzRpJI7OWE9vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dNdnDTkXFSB7LLx6bNq04Oc0bd8/QYnLUPngVXmiRD0=; b=Kn1QZ2zPaLCZyTITnbHiUh9gEnqLvEPffhV4rkEIQVbTKCOMJvc61mxMtbgZqPAczdqsksdm2tPFV/dIxRZ5yUL9hWeriROdCEqVG1iiEETx/yTH8+koFQr0lwtMpWaaAZ7hu77FTSpSAkRolVyRPkLQb8DD5lTHgwqHmYAICnXAz/NQ8JfLI5WgHDxB3lr2AOnrN5qQc8A0mTvUcQ5ZizpCnITz1Wf6LanyTOZO/KulAaKyjQa26B8smLQHZiXYOIABmE3U/SUemBVlx3Fb4IVoIL+qwcJRdRg+C7ignsbyvFS6zORKcdjTtpktH+vpRsBU2+NozAsDDXOQiCI58A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bitdefender.onmicrosoft.com; s=selector2-bitdefender-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dNdnDTkXFSB7LLx6bNq04Oc0bd8/QYnLUPngVXmiRD0=; b=CApFzyrk0mlMDcSadvV/d7ZUlanzXmS+m7aVES+7/PlT/2HEmwtYEBdN6pUdWDbsMBYgnAMaNTdghBKp3Ljfj+sRsO2IjLpx2+Nk1zooYnlxP3QQLDlJ+cjiXhDsw5VdDPZKhF+Fgtm5nygmi5D0onhECyNDNDc+49NlW67VOq8= Received: from AM0PR02MB5553.eurprd02.prod.outlook.com (10.255.30.78) by AM0PR02MB4386.eurprd02.prod.outlook.com (20.178.17.212) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.20; Tue, 17 Dec 2019 15:12:22 +0000 Received: from AM0PR02MB5553.eurprd02.prod.outlook.com ([fe80::8cec:7638:734c:89d]) by AM0PR02MB5553.eurprd02.prod.outlook.com ([fe80::8cec:7638:734c:89d%4]) with mapi id 15.20.2538.019; Tue, 17 Dec 2019 15:12:22 +0000 From: Alexandru Stefan ISAILA To: "xen-devel@lists.xenproject.org" Thread-Topic: [PATCH V4 1/4] x86/mm: Add array_index_nospec to guest provided index values Thread-Index: AQHVtOxhsG39wuvEP0STO9uvU+j0gQ== Date: Tue, 17 Dec 2019 15:12:21 +0000 Message-ID: <20191217151144.9781-1-aisaila@bitdefender.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: AM0PR01CA0067.eurprd01.prod.exchangelabs.com (2603:10a6:208:e6::44) To AM0PR02MB5553.eurprd02.prod.outlook.com (2603:10a6:208:160::14) authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@bitdefender.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.17.1 x-originating-ip: [91.199.104.6] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d067ba9e-8c9c-4f83-ca0c-08d7830383e9 x-ms-traffictypediagnostic: AM0PR02MB4386:|AM0PR02MB4386:|AM0PR02MB4386: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:923; x-forefront-prvs: 02543CD7CD x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(136003)(396003)(39860400002)(346002)(376002)(189003)(199004)(6512007)(52116002)(64756008)(86362001)(186003)(8936002)(6486002)(4326008)(2906002)(54906003)(66476007)(71200400001)(66556008)(66946007)(36756003)(26005)(81156014)(81166006)(5660300002)(8676002)(6506007)(478600001)(66446008)(1076003)(2616005)(316002)(6916009); DIR:OUT; SFP:1102; SCL:1; SRVR:AM0PR02MB4386; H:AM0PR02MB5553.eurprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: bitdefender.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: O/DKVO6WLk5mFLsOwWvTpR9EV9dOb/z8utBIF47hT/GmWxtlgygxrYXbFHURww2fBdoahCSbAU36jUcW9Af2P+DzsJFgABqDJstVvyxzROv/Cyma3xwE+P/8avTSh4/Kk5EhIFXsSq4PbkTGvBbhjvPoYngpML5prLyyw5D3ZbGcxbgFQoiahCzLrYlm8iebb0EYUtsAE5hAqXfoWTuPq8XbXdZJ6oF6w+AgGCJPXkTbeBzfbXbOujX1AMOUpqw4YTdrQjY4+uqitzCr1E5Fuu/jtC9sygJijnuBH5xtozAPxojbyfQQPl6adAqz2CdCj/FaR6pQEARfnpdMPHYaOQp/Q4sRit1eQYX12g8+YnLijmYlyWGdDF8nBQ0Ppt3rZYjRUTJl6rMyAzsh2ipeJc6/9+EuQQcn5ZDmHtkRXJu2oUJq/FCwdx27zs1pgrEl Content-ID: <1944D3022A1EC5408CCD757F6F1CA470@eurprd02.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: bitdefender.com X-MS-Exchange-CrossTenant-Network-Message-Id: d067ba9e-8c9c-4f83-ca0c-08d7830383e9 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2019 15:12:22.0510 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 487baf29-f1da-469a-9221-243f830c36f3 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: A4teMOnRYkBZigPSnz6BzBUsDtClQtl/013J/4L4xfNdJRcIMDnzaZnH0IuLq5LRt496/1IKqGcweibRK2gV5UF8Z71xJP43w54Eyy5pPPg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR02MB4386 Subject: [Xen-devel] [PATCH V4 1/4] x86/mm: Add array_index_nospec to guest provided index values X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Petre Ovidiu PIRCALABU , Kevin Tian , Tamas K Lengyel , Wei Liu , Razvan COJOCARU , George Dunlap , Andrew Cooper , Jan Beulich , Jun Nakajima , Alexandru Stefan ISAILA , =?utf-8?q?Roger_Pau_Monn?= =?utf-8?q?=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" This patch aims to sanitize indexes, potentially guest provided values, for altp2m_eptp[] and altp2m_p2m[] arrays. Signed-off-by: Alexandru Isaila Acked-by: Tamas K Lengyel --- CC: Razvan Cojocaru CC: Tamas K Lengyel CC: Petre Pircalabu CC: George Dunlap CC: Jan Beulich CC: Andrew Cooper CC: Wei Liu CC: "Roger Pau Monné" CC: Jun Nakajima CC: Kevin Tian --- xen/arch/x86/mm/mem_access.c | 15 +++++++++------ xen/arch/x86/mm/p2m-ept.c | 5 +++-- xen/arch/x86/mm/p2m.c | 27 +++++++++++++++++---------- 3 files changed, 29 insertions(+), 18 deletions(-) diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c index 320b9fe621..70f3528bb1 100644 --- a/xen/arch/x86/mm/mem_access.c +++ b/xen/arch/x86/mm/mem_access.c @@ -367,10 +367,11 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, if ( altp2m_idx ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - ap2m = d->arch.altp2m_p2m[altp2m_idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; } #else ASSERT(!altp2m_idx); @@ -426,10 +427,11 @@ long p2m_set_mem_access_multi(struct domain *d, if ( altp2m_idx ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - ap2m = d->arch.altp2m_p2m[altp2m_idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; } #else ASSERT(!altp2m_idx); @@ -492,10 +494,11 @@ int p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access, else if ( altp2m_idx ) /* altp2m view 0 is treated as the hostp2m */ { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; } #else ASSERT(!altp2m_idx); diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c index b5517769c9..e088a63f56 100644 --- a/xen/arch/x86/mm/p2m-ept.c +++ b/xen/arch/x86/mm/p2m-ept.c @@ -1353,7 +1353,8 @@ void setup_ept_dump(void) void p2m_init_altp2m_ept(struct domain *d, unsigned int i) { - struct p2m_domain *p2m = d->arch.altp2m_p2m[i]; + struct p2m_domain *p2m = + d->arch.altp2m_p2m[array_index_nospec(i, MAX_ALTP2M)]; struct p2m_domain *hostp2m = p2m_get_hostp2m(d); struct ept_data *ept; @@ -1366,7 +1367,7 @@ void p2m_init_altp2m_ept(struct domain *d, unsigned int i) p2m->max_mapped_pfn = p2m->max_remapped_gfn = 0; ept = &p2m->ept; ept->mfn = pagetable_get_pfn(p2m_get_pagetable(p2m)); - d->arch.altp2m_eptp[i] = ept->eptp; + d->arch.altp2m_eptp[array_index_nospec(i, MAX_EPTP)] = ept->eptp; } unsigned int p2m_find_altp2m_by_eptp(struct domain *d, uint64_t eptp) diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index ba126f790a..7e7f4f1a7c 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -2499,7 +2499,7 @@ static void p2m_reset_altp2m(struct domain *d, unsigned int idx, struct p2m_domain *p2m; ASSERT(idx < MAX_ALTP2M); - p2m = d->arch.altp2m_p2m[idx]; + p2m = d->arch.altp2m_p2m[array_index_nospec(idx, MAX_ALTP2M)]; p2m_lock(p2m); @@ -2540,7 +2540,7 @@ static int p2m_activate_altp2m(struct domain *d, unsigned int idx) ASSERT(idx < MAX_ALTP2M); - p2m = d->arch.altp2m_p2m[idx]; + p2m = d->arch.altp2m_p2m[array_index_nospec(idx, MAX_ALTP2M)]; hostp2m = p2m_get_hostp2m(d); p2m_lock(p2m); @@ -2622,9 +2622,10 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx) rc = -EBUSY; altp2m_list_lock(d); - if ( d->arch.altp2m_eptp[idx] != mfn_x(INVALID_MFN) ) + if ( d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] != + mfn_x(INVALID_MFN) ) { - p2m = d->arch.altp2m_p2m[idx]; + p2m = d->arch.altp2m_p2m[array_index_nospec(idx, MAX_ALTP2M)]; if ( !_atomic_read(p2m->active_vcpus) ) { @@ -2686,11 +2687,13 @@ int p2m_change_altp2m_gfn(struct domain *d, unsigned int idx, mfn_t mfn; int rc = -EINVAL; - if ( idx >= MAX_ALTP2M || d->arch.altp2m_eptp[idx] == mfn_x(INVALID_MFN) ) + if ( idx >= MAX_ALTP2M || + d->arch.altp2m_eptp[array_index_nospec(idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return rc; hp2m = p2m_get_hostp2m(d); - ap2m = d->arch.altp2m_p2m[idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(idx, MAX_ALTP2M)]; p2m_lock(hp2m); p2m_lock(ap2m); @@ -3030,10 +3033,12 @@ int p2m_set_suppress_ve(struct domain *d, gfn_t gfn, bool suppress_ve, if ( altp2m_idx > 0 ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = ap2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + MAX_ALTP2M)]; } else p2m = host_p2m; @@ -3073,10 +3078,12 @@ int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve, if ( altp2m_idx > 0 ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_EPTP)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = ap2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + MAX_ALTP2M)]; } else p2m = host_p2m;