From patchwork Thu Dec 19 09:42:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Alexandru Stefan ISAILA X-Patchwork-Id: 11302931 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 152A7921 for ; Thu, 19 Dec 2019 09:44:34 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D9831206B7 for ; Thu, 19 Dec 2019 09:44:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=bitdefender.onmicrosoft.com header.i=@bitdefender.onmicrosoft.com header.b="fJkvqKtj" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D9831206B7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=bitdefender.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1ihsKg-0003aC-4T; Thu, 19 Dec 2019 09:42:58 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1ihsKf-0003a7-8n for xen-devel@lists.xenproject.org; Thu, 19 Dec 2019 09:42:57 +0000 X-Inumbo-ID: eed3dfac-2243-11ea-9174-12813bfff9fa Received: from EUR01-DB5-obe.outbound.protection.outlook.com (unknown [40.107.15.113]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id eed3dfac-2243-11ea-9174-12813bfff9fa; Thu, 19 Dec 2019 09:42:55 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iytczzQK9ts/mqN1AmrIUT25ec77c4EmxAzeuczY2Ymcz8xVJCeV5Zxl8Wj+IJDT1iZTF776jfH4wHC252D42qeq+n5rOR9Z2AHaEI6+u+QV2OSJ2mIXB60ADHHoQqOL9kvL9pfUkQ3JhN59n9YN8K20lVBsDR4zGb8iF8BM2raZ8c8MkoZh8+/ExPq/8G+qfxU7QtJcgDwy0hjS/BVxv83v/9FB9Vf+pjm0YDT4/Nzj5nVGPnEcUpiJp9Huiuh727VU7ZC8Br76N4000OoE+vsDh92WR/YDljEZ6uE+3iQ6JpzI1O9qxmzyOGP+6K3LEImrLyW09Ul3qb/tfZCMtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CStwGnhbQtwq8X6f/lJrZV+ccIIB8Z0ASabw8BFkuyI=; b=hRPYECUvmiAgKmCM2/8yNmYsF7PtIFKH+6EMoBgyzTz7ECUgk+3XJr+efiOpixcCharx4KkBYh0vJf7DpIup+0bdh2iyV0ZOO+7UUKyml5wSGr+z0gMTK5lSc0Jty8PrP16eXAHfCX/MF7T2cQMvxx8ZzE4HdF3L6Z2qGQ/Za4xNnN/kfD5/EOT+76jvZ/lEFoPK/a8IVxNeIBLP4p3eXPyCjmYBPeHBBl0rK1gt37xSYZp0Pu6niJmODd5JQvrWPx1F0/Xc1nktPMydf15JEhHZ0PUYLbENO2xhJCk7cv2prfZDHvv5KZl0dtMRuQxYu4JY/UL5nhDVB1tFfjpMQw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bitdefender.com; dmarc=pass action=none header.from=bitdefender.com; dkim=pass header.d=bitdefender.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bitdefender.onmicrosoft.com; s=selector2-bitdefender-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CStwGnhbQtwq8X6f/lJrZV+ccIIB8Z0ASabw8BFkuyI=; b=fJkvqKtjkATBdiLHByDoT2o+8R6VAOec8N4hZpoIDiFRFmDDSmt7aZgGupwSinRBYIcR8z02cwZLOn0HhsUqPW6XzlG9/f9mTxJuTfHhvnCRdkGk2SXv3gkPwfqlQKUBD0ROWDLJnGmP+CmOrwUmSroSNc4D7Dk1RRgnXZy8eAE= Received: from AM0PR02MB5553.eurprd02.prod.outlook.com (10.255.30.78) by AM0PR02MB4258.eurprd02.prod.outlook.com (20.177.111.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.18; Thu, 19 Dec 2019 09:42:54 +0000 Received: from AM0PR02MB5553.eurprd02.prod.outlook.com ([fe80::8cec:7638:734c:89d]) by AM0PR02MB5553.eurprd02.prod.outlook.com ([fe80::8cec:7638:734c:89d%4]) with mapi id 15.20.2559.015; Thu, 19 Dec 2019 09:42:54 +0000 From: Alexandru Stefan ISAILA To: "xen-devel@lists.xenproject.org" Thread-Topic: [PATCH V5 1/4] x86/mm: Add array_index_nospec to guest provided index values Thread-Index: AQHVtlCv9fBx8h7blUeN6Fd8ih9YqQ== Date: Thu, 19 Dec 2019 09:42:53 +0000 Message-ID: <20191219094236.22002-1-aisaila@bitdefender.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: AM0PR05CA0074.eurprd05.prod.outlook.com (2603:10a6:208:136::14) To AM0PR02MB5553.eurprd02.prod.outlook.com (2603:10a6:208:160::14) authentication-results: spf=none (sender IP is ) smtp.mailfrom=aisaila@bitdefender.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.17.1 x-originating-ip: [91.199.104.6] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2c8767ce-7ed4-41e7-7782-08d78467d200 x-ms-traffictypediagnostic: AM0PR02MB4258:|AM0PR02MB4258:|AM0PR02MB4258: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:2887; x-forefront-prvs: 0256C18696 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(396003)(376002)(346002)(39860400002)(366004)(189003)(199004)(66556008)(26005)(5660300002)(478600001)(6512007)(2906002)(6506007)(81166006)(66946007)(52116002)(186003)(6916009)(66476007)(64756008)(6486002)(81156014)(71200400001)(8936002)(66446008)(36756003)(54906003)(316002)(8676002)(1076003)(4326008)(2616005)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:AM0PR02MB4258; H:AM0PR02MB5553.eurprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: bitdefender.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: FhNwjobGnbwByKU5GT8GkstPNZOM7iP589wicWZQbYlv7UEM+gvA/vGOL+F98lvrdlAgNOBjec+02pB8+rfFgRqm0KE4RYlFnGXGb6H3UNaX4il/6XLNVEfd1kjfly//aD9iqgMYhULyQgH9ruYmdfyH9uApiAE2iGv5pUDRHGN795UOgTWF25fY1CIW0ruh8C1SnFuH4bkSAaL2/GsEIRgKZNtimtIKNQsTlkGYjakVOtBsEVKw2D/7M8SRRzbKLozirW62nOVJD6zw9tMwts59TTjRrLfPPQ1uCW1A+vI801GNbBTUF4/o9xNpNjrZ7SSVSFmWA0gTIdYcc48FFdjRc20OENFpHJ4qmN/r2rW8s/XVLQ16w2t7Au3nNmabn/86zqUqoxf8Q8zqfA1i1+K9knNSF9wzaRHbJ4ODy3Jvj8Fiaekg/OsX06bIpDj7 Content-ID: MIME-Version: 1.0 X-OriginatorOrg: bitdefender.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2c8767ce-7ed4-41e7-7782-08d78467d200 X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2019 09:42:53.8916 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 487baf29-f1da-469a-9221-243f830c36f3 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: IqHbdTkQv1c7uaw5eayyVMOOHE+ga3WzGQc5eLLhpzrxAUhvdgI3pTxj6XVDRTgkVD13LNIIYn6GCWuEx7Z4y3hy1FlkliVOURnlc7W0eE8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR02MB4258 Subject: [Xen-devel] [PATCH V5 1/4] x86/mm: Add array_index_nospec to guest provided index values X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Petre Ovidiu PIRCALABU , Kevin Tian , Tamas K Lengyel , Wei Liu , Razvan COJOCARU , George Dunlap , Andrew Cooper , Jan Beulich , Jun Nakajima , Alexandru Stefan ISAILA , =?utf-8?q?Roger_Pau_Monn?= =?utf-8?q?=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" This patch aims to sanitize indexes, potentially guest provided values, for altp2m_eptp[] and altp2m_p2m[] arrays. Requested-by: Jan Beulich Signed-off-by: Alexandru Isaila --- CC: Razvan Cojocaru CC: Tamas K Lengyel CC: Petre Pircalabu CC: George Dunlap CC: Jan Beulich CC: Andrew Cooper CC: Wei Liu CC: "Roger Pau Monné" CC: Jun Nakajima CC: Kevin Tian --- Changes since V4: - Change bounds check from MAX_EPTP to MAX_ALTP2M - Move array_index_nospec() closer to the bounds check. --- xen/arch/x86/mm/mem_access.c | 15 +++++++++------ xen/arch/x86/mm/p2m.c | 20 ++++++++++++++------ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/xen/arch/x86/mm/mem_access.c b/xen/arch/x86/mm/mem_access.c index 320b9fe621..33e379db8f 100644 --- a/xen/arch/x86/mm/mem_access.c +++ b/xen/arch/x86/mm/mem_access.c @@ -367,10 +367,11 @@ long p2m_set_mem_access(struct domain *d, gfn_t gfn, uint32_t nr, if ( altp2m_idx ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - ap2m = d->arch.altp2m_p2m[altp2m_idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; } #else ASSERT(!altp2m_idx); @@ -426,10 +427,11 @@ long p2m_set_mem_access_multi(struct domain *d, if ( altp2m_idx ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - ap2m = d->arch.altp2m_p2m[altp2m_idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; } #else ASSERT(!altp2m_idx); @@ -492,10 +494,11 @@ int p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access, else if ( altp2m_idx ) /* altp2m view 0 is treated as the hostp2m */ { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, MAX_ALTP2M)]; } #else ASSERT(!altp2m_idx); diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index ba126f790a..16039c7a57 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -2574,6 +2574,7 @@ int p2m_init_altp2m_by_id(struct domain *d, unsigned int idx) if ( idx >= MAX_ALTP2M ) return rc; + idx = array_index_nospec(idx, MAX_ALTP2M); altp2m_list_lock(d); if ( d->arch.altp2m_eptp[idx] == mfn_x(INVALID_MFN) ) @@ -2615,6 +2616,7 @@ int p2m_destroy_altp2m_by_id(struct domain *d, unsigned int idx) if ( !idx || idx >= MAX_ALTP2M ) return rc; + idx = array_index_nospec(idx, MAX_ALTP2M); rc = domain_pause_except_self(d); if ( rc ) return rc; @@ -2686,11 +2688,13 @@ int p2m_change_altp2m_gfn(struct domain *d, unsigned int idx, mfn_t mfn; int rc = -EINVAL; - if ( idx >= MAX_ALTP2M || d->arch.altp2m_eptp[idx] == mfn_x(INVALID_MFN) ) + if ( idx >= MAX_ALTP2M || + d->arch.altp2m_eptp[array_index_nospec(idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return rc; hp2m = p2m_get_hostp2m(d); - ap2m = d->arch.altp2m_p2m[idx]; + ap2m = d->arch.altp2m_p2m[array_index_nospec(idx, MAX_ALTP2M)]; p2m_lock(hp2m); p2m_lock(ap2m); @@ -3030,10 +3034,12 @@ int p2m_set_suppress_ve(struct domain *d, gfn_t gfn, bool suppress_ve, if ( altp2m_idx > 0 ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = ap2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + MAX_ALTP2M)]; } else p2m = host_p2m; @@ -3073,10 +3079,12 @@ int p2m_get_suppress_ve(struct domain *d, gfn_t gfn, bool *suppress_ve, if ( altp2m_idx > 0 ) { if ( altp2m_idx >= MAX_ALTP2M || - d->arch.altp2m_eptp[altp2m_idx] == mfn_x(INVALID_MFN) ) + d->arch.altp2m_eptp[array_index_nospec(altp2m_idx, MAX_ALTP2M)] == + mfn_x(INVALID_MFN) ) return -EINVAL; - p2m = ap2m = d->arch.altp2m_p2m[altp2m_idx]; + p2m = ap2m = d->arch.altp2m_p2m[array_index_nospec(altp2m_idx, + MAX_ALTP2M)]; } else p2m = host_p2m;