[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.18] x86/boot: Fix XSM module handling during PVH boot

commit 2b18f341cb5c66bbc3260a8e0dd9f42b2f58d78c
Author:     Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
AuthorDate: Tue Oct 29 16:42:29 2024 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Oct 29 16:42:29 2024 +0100

    x86/boot: Fix XSM module handling during PVH boot
    
    As detailed in commit 0fe607b2a144 ("x86/boot: Fix PVH boot during boot_info
    transition period"), the use of __va(mbi->mods_addr) constitutes a
    use-after-free on the PVH boot path.
    
    This pattern has been in use since before PVH support was added.  This has
    most likely gone unnoticed because no-one's tried using a detached Flask
    policy in a PVH VM before.
    
    Plumb the boot_info pointer down, replacing module_map and mbi.  
Importantly,
    bi->mods[].mod is a safe way to access the module list during PVH boot.
    
    As this is the final non-bi use of mbi in __start_xen(), make the pointer
    unusable once bi has been established, to prevent new uses creeping back in.
    This is a stopgap until mbi can be fully removed.
    
    Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
    Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    master commit: 6cf0aaeb8df951fb34679f0408461a5c67cb02c6
    master date: 2024-10-23 18:14:24 +0100
---
 xen/arch/x86/setup.c  | 2 +-
 xen/include/xsm/xsm.h | 7 +++++--
 xen/xsm/xsm_core.c    | 7 ++++---
 xen/xsm/xsm_policy.c  | 2 +-
 4 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
index 1d5d3f8a66..689f828d6a 100644
--- a/xen/arch/x86/setup.c
+++ b/xen/arch/x86/setup.c
@@ -1771,7 +1771,7 @@ void __init noreturn __start_xen(unsigned long mbi_p)
     mmio_ro_ranges = rangeset_new(NULL, "r/o mmio ranges",
                                   RANGESETF_prettyprint_hex);
 
-    xsm_multiboot_init(module_map, mbi);
+    xsm_multiboot_init(module_map, mbi, mod);
 
     /*
      * IOMMU-related ACPI table parsing may require some of the system domains
diff --git a/xen/include/xsm/xsm.h b/xen/include/xsm/xsm.h
index 627c0d2731..5867ccceaf 100644
--- a/xen/include/xsm/xsm.h
+++ b/xen/include/xsm/xsm.h
@@ -779,9 +779,11 @@ static inline int xsm_argo_send(const struct domain *d, 
const struct domain *t)
 
 #ifdef CONFIG_MULTIBOOT
 int xsm_multiboot_init(
-    unsigned long *module_map, const multiboot_info_t *mbi);
+    unsigned long *module_map, const multiboot_info_t *mbi,
+    const module_t mods[]);
 int xsm_multiboot_policy_init(
     unsigned long *module_map, const multiboot_info_t *mbi,
+    const module_t mods[],
     void **policy_buffer, size_t *policy_size);
 #endif
 
@@ -829,7 +831,8 @@ static const inline struct xsm_ops *silo_init(void)
 
 #ifdef CONFIG_MULTIBOOT
 static inline int xsm_multiboot_init (
-    unsigned long *module_map, const multiboot_info_t *mbi)
+    unsigned long *module_map, const multiboot_info_t *mbi,
+    const module_t mods[])
 {
     return 0;
 }
diff --git a/xen/xsm/xsm_core.c b/xen/xsm/xsm_core.c
index eaa028109b..82b0d76d40 100644
--- a/xen/xsm/xsm_core.c
+++ b/xen/xsm/xsm_core.c
@@ -140,7 +140,8 @@ static int __init xsm_core_init(const void *policy_buffer, 
size_t policy_size)
 
 #ifdef CONFIG_MULTIBOOT
 int __init xsm_multiboot_init(
-    unsigned long *module_map, const multiboot_info_t *mbi)
+    unsigned long *module_map, const multiboot_info_t *mbi,
+    const module_t mods[])
 {
     int ret = 0;
     void *policy_buffer = NULL;
@@ -150,8 +151,8 @@ int __init xsm_multiboot_init(
 
     if ( XSM_MAGIC )
     {
-        ret = xsm_multiboot_policy_init(module_map, mbi, &policy_buffer,
-                                        &policy_size);
+        ret = xsm_multiboot_policy_init(module_map, mbi, mods,
+                                        &policy_buffer, &policy_size);
         if ( ret )
         {
             bootstrap_map(NULL);
diff --git a/xen/xsm/xsm_policy.c b/xen/xsm/xsm_policy.c
index 8dafbc9381..9244a3612d 100644
--- a/xen/xsm/xsm_policy.c
+++ b/xen/xsm/xsm_policy.c
@@ -32,10 +32,10 @@
 #ifdef CONFIG_MULTIBOOT
 int __init xsm_multiboot_policy_init(
     unsigned long *module_map, const multiboot_info_t *mbi,
+    const module_t mod[],
     void **policy_buffer, size_t *policy_size)
 {
     int i;
-    module_t *mod = (module_t *)__va(mbi->mods_addr);
     int rc = 0;
     u32 *_policy_start;
     unsigned long _policy_len;
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.18

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.