[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] x86/viridian: Add Partition Reference Time enlightenment

To: "Ian Campbell" <ian.campbell@xxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Tue, 14 Oct 2014 10:56:10 +0100
Cc: Keir Fraser <keir@xxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, Matt Wilson <msw@xxxxxxxxx>, Christoph Egger <chegger@xxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx, Paul Durrant <paul.durrant@xxxxxxxxxx>, Anthony Liguori <anthony@xxxxxxxxxxxxx>
Delivery-date: Tue, 14 Oct 2014 09:56:23 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 14.10.14 at 09:45, <ian.campbell@xxxxxxxxxx> wrote:
> On Mon, 2014-10-13 at 09:10 +0100, Jan Beulich wrote:
>> >>> On 10.10.14 at 18:36, <msw@xxxxxxxxx> wrote:
>> > On Mon, Sep 29, 2014 at 11:28:44AM +0100, Paul Durrant wrote:
>> >> +    /*
>> >> +     * The guest will calculate reference time according to the following
>> >> +     * formula:
>> >> +     *
>> >> +     * ReferenceTime = ((RDTSC() * TscScale) >> 64) + TscOffset
>> >> +     *
>> >> +     * Windows uses a 100ns tick, so we need a scale which is cpu
>> >> +     * ticks per 100ns shifted left by 64.
>> >> +     */
>> >> +    p->TscScale = ((10000ul << 32) / d->arch.tsc_khz) << 32;
>> >> +
>> >> +    do {
>> >> +        p->TscSequence++;
>> >> +    } while ( p->TscSequence == 0xFFFFFFFF ||
>> >> +              p->TscSequence == 0 ); /* Avoid both 'invalid' values */
>> > 
>> > Anthony Liguori and I were looking this over today and he pointed
>> > something out: couldn't a second vCPU of the guest write 0 or
>> > 0xffffffff in a tight loop to cause a hypervisor DoS?
>> 
>> Yes, this is at least a theoretical issue that should be fixed. I don't
>> think it's a practical issue though: I'd expect the compiler to eliminate
>> the two reads of the field and instead directly use the result of the
>> increment.
> 
> Wouldn't that just mean the attacker needs to write fffffffe or ffffffff
> instead?

No. The effect of what I said would amount to

        x = p->TscSequence;
        do {
                x++;
        } while ( !(x + 1) || !x )
        p->TscSequence = x;

(or something equivalent without using a loop).

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v2] x86/viridian: Add Partition Reference Time enlightenment
  - From: Ian Campbell

References:
- Re: [Xen-devel] [PATCH v2] x86/viridian: Add Partition Reference Time enlightenment
  - From: Matt Wilson
- Re: [Xen-devel] [PATCH v2] x86/viridian: Add Partition Reference Time enlightenment
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH v2] x86/viridian: Add Partition Reference Time enlightenment
  - From: Ian Campbell

Prev by Date: Re: [Xen-devel] [PATCH] vmx, apicv: fix save/restore issue with apicv
Next by Date: Re: [Xen-devel] [RFC][PATCH v2x prototype 1/1] Add IOREQ_TYPE_VMWARE_PORT
Previous by thread: Re: [Xen-devel] [PATCH v2] x86/viridian: Add Partition Reference Time enlightenment
Next by thread: Re: [Xen-devel] [PATCH v2] x86/viridian: Add Partition Reference Time enlightenment
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.