Xen project Mailing List

Re: [Xen-devel] [PATCH 2/3] x86/percpu: Force INVALID_PERCPU_AREA into the non-canonical address region

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Thu, 26 Sep 2013 11:04:43 +0100

Cc: Tim Deegan <tim@xxxxxxx>, Keir Fraser <keir@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Thu, 26 Sep 2013 10:05:10 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 26/09/13 10:49, Andrew Cooper wrote: > This causes accidental uses of per_cpu() on a pcpu with an INVALID_PERCPU_AREA > to result in a #GF for attempting to access the middle of the non-canonical > virtual address region. > > This is preferable to the current behaviour, where incorrect use of per_cpu() > will result in an effective NULL structure dereference which has security > implication in the context of PV guests. This could do with clarifying somewhat. The security concern is simply dereferencing a NULL pointer in the context of a PV guest, not from any specific use of this code. This patch simply prevents Xen from accidentally dereferencing a NULL pointer in the case of an offline pcpu. As there are no guest hypercalls which should be able to cause this, there is no specific security issue here. The previous patch fixes the case where toolstack hypercalls could cause this behaviour. ~Andrew > > Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > CC: Keir Fraser <keir@xxxxxxx> > CC: Jan Beulich <JBeulich@xxxxxxxx> > CC: Tim Deegan <tim@xxxxxxx> > --- > xen/arch/x86/percpu.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/xen/arch/x86/percpu.c b/xen/arch/x86/percpu.c > index e545024..1c1dad9 100644 > --- a/xen/arch/x86/percpu.c > +++ b/xen/arch/x86/percpu.c > @@ -6,7 +6,14 @@ > #include <xen/rcupdate.h> > > unsigned long __per_cpu_offset[NR_CPUS]; > -#define INVALID_PERCPU_AREA (-(long)__per_cpu_start) > + > +/* > + * Force uses of per_cpu() with an invalid area to attempt to access the > + * middle of the non-canonical address space resulting in a #GP, rather than > a > + * possible #PF at (NULL + a little) which has security implications in the > + * context of PV guests. > + */ > +#define INVALID_PERCPU_AREA (0x8000000000000000L - (long)__per_cpu_start) > #define PERCPU_ORDER > (get_order_from_bytes(__per_cpu_data_end-__per_cpu_start)) > > void __init percpu_init_areas(void) _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.