|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2] x86/viridian: Add Partition Reference Time enlightenment
> -----Original Message----- > From: Jan Beulich [mailto:JBeulich@xxxxxxxx] > Sent: 14 October 2014 11:12 > To: Ian Campbell > Cc: Christoph Egger; Paul Durrant; Anthony Liguori; Ian Jackson; Stefano > Stabellini; Matt Wilson; xen-devel@xxxxxxxxxxxxx; Keir (Xen.org) > Subject: Re: [Xen-devel] [PATCH v2] x86/viridian: Add Partition Reference > Time enlightenment > > >>> On 14.10.14 at 12:04, <ian.campbell@xxxxxxxxxx> wrote: > > On Tue, 2014-10-14 at 10:56 +0100, Jan Beulich wrote: > >> >>> On 14.10.14 at 09:45, <ian.campbell@xxxxxxxxxx> wrote: > >> > On Mon, 2014-10-13 at 09:10 +0100, Jan Beulich wrote: > >> >> >>> On 10.10.14 at 18:36, <msw@xxxxxxxxx> wrote: > >> >> > On Mon, Sep 29, 2014 at 11:28:44AM +0100, Paul Durrant wrote: > >> >> >> + /* > >> >> >> + * The guest will calculate reference time according to the > following > >> >> >> + * formula: > >> >> >> + * > >> >> >> + * ReferenceTime = ((RDTSC() * TscScale) >> 64) + TscOffset > >> >> >> + * > >> >> >> + * Windows uses a 100ns tick, so we need a scale which is cpu > >> >> >> + * ticks per 100ns shifted left by 64. > >> >> >> + */ > >> >> >> + p->TscScale = ((10000ul << 32) / d->arch.tsc_khz) << 32; > >> >> >> + > >> >> >> + do { > >> >> >> + p->TscSequence++; > >> >> >> + } while ( p->TscSequence == 0xFFFFFFFF || > >> >> >> + p->TscSequence == 0 ); /* Avoid both 'invalid' values > >> >> >> */ > >> >> > > >> >> > Anthony Liguori and I were looking this over today and he pointed > >> >> > something out: couldn't a second vCPU of the guest write 0 or > >> >> > 0xffffffff in a tight loop to cause a hypervisor DoS? > >> >> > >> >> Yes, this is at least a theoretical issue that should be fixed. I don't > >> >> think it's a practical issue though: I'd expect the compiler to > >> >> eliminate > >> >> the two reads of the field and instead directly use the result of the > >> >> increment. > >> > > >> > Wouldn't that just mean the attacker needs to write fffffffe or ffffffff > >> > instead? > >> > >> No. The effect of what I said would amount to > >> > >> x = p->TscSequence; > >> do { > >> x++; > >> } while ( !(x + 1) || !x ) > >> p->TscSequence = x; > >> > >> (or something equivalent without using a loop). > > > > Ah right. Perhaps it would better to write it that way and use some sort > > of ACCESS_ONCE like macrot enforce it actually ends up that way rather > > than rely on the vagaries of the compiler? > > Of course - that's why I said it's at least a theoretical issue and > needs fixing. But the v3 Paul sent deals with this differently > anyway, so not much point in continuing finding another clean > solution. > I'll actually go with Matt's suggestion and just ditch the loop entirely. I'll send v4 in a few minutes. Paul > Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |