From patchwork Thu Dec 17 11:57:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Beulich X-Patchwork-Id: 11979665 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06036C4361B for ; Thu, 17 Dec 2020 11:57:24 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 89D04238EE for ; Thu, 17 Dec 2020 11:57:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 89D04238EE Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=suse.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from list by lists.xenproject.org with outflank-mailman.55879.97487 (Exim 4.92) (envelope-from ) id 1kpru4-0006HM-CR; Thu, 17 Dec 2020 11:57:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 55879.97487; Thu, 17 Dec 2020 11:57:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kpru4-0006HF-81; Thu, 17 Dec 2020 11:57:04 +0000 Received: by outflank-mailman (input) for mailman id 55879; Thu, 17 Dec 2020 11:57:03 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kpru3-0006HA-0g for xen-devel@lists.xenproject.org; Thu, 17 Dec 2020 11:57:03 +0000 Received: from mx2.suse.de (unknown [195.135.220.15]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id 049d03ae-6f80-4855-a93f-520094822715; Thu, 17 Dec 2020 11:57:02 +0000 (UTC) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 3C064AC7F; Thu, 17 Dec 2020 11:57:01 +0000 (UTC) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 049d03ae-6f80-4855-a93f-520094822715 X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1608206221; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JZRIRuR7hZ2IMcHzjNWlwLpR2F1Sh0DoTu8N940Vr6E=; b=l0i+HfEOZP5q7C6UBm2c1CiQNlQiZYo0xTfeJMLTe2PZH4PcvmOACCvkoT85uZ2s8BElnI Kg+Syizm3b73YaK7hdJG3JcYDbdAko7pXx6K/1UcaC0w5H6dF9yj4s5r272y4YO9mjA/60 mE6HrLpr0dZWygpJZBWi+T2n/USgRFA= To: "xen-devel@lists.xenproject.org" Cc: Daniel de Graaf , Andrew Cooper , George Dunlap , Ian Jackson , Julien Grall , Stefano Stabellini , Wei Liu From: Jan Beulich Subject: [PATCH] xsm/dummy: harden against speculative abuse Message-ID: <34833712-93d9-1b4e-1ebf-9df5ea93d19f@suse.com> Date: Thu, 17 Dec 2020 12:57:01 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1 MIME-Version: 1.0 Content-Language: en-US First of all don't open-code is_control_domain(), which is already suitably using evaluate_nospec(). Then also apply this construct to the other paths of xsm_default_action(). Also guard two paths not using this function. Signed-off-by: Jan Beulich Reviewed-by: Wei Liu --- While the functions are always_inline I'm not entirely certain we can get away with doing this inside of them, rather than in the callers. It will certainly take more to also guard builds with non-dummy XSM. --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -76,20 +76,20 @@ static always_inline int xsm_default_act case XSM_HOOK: return 0; case XSM_TARGET: - if ( src == target ) + if ( evaluate_nospec(src == target) ) { return 0; case XSM_XS_PRIV: - if ( is_xenstore_domain(src) ) + if ( evaluate_nospec(is_xenstore_domain(src)) ) return 0; } /* fall through */ case XSM_DM_PRIV: - if ( target && src->target == target ) + if ( target && evaluate_nospec(src->target == target) ) return 0; /* fall through */ case XSM_PRIV: - if ( src->is_privileged ) + if ( !is_control_domain(src) ) return 0; return -EPERM; default: @@ -656,7 +656,7 @@ static XSM_INLINE int xsm_mmu_update(XSM XSM_ASSERT_ACTION(XSM_TARGET); if ( f != dom_io ) rc = xsm_default_action(action, d, f); - if ( t && !rc ) + if ( evaluate_nospec(t) && !rc ) rc = xsm_default_action(action, d, t); return rc; } @@ -750,6 +750,7 @@ static XSM_INLINE int xsm_xen_version (X case XENVER_platform_parameters: case XENVER_get_features: /* These sub-ops ignore the permission checks and return data. */ + block_speculation(); return 0; case XENVER_extraversion: case XENVER_compile_info: