Xen project Mailing List

Re: [Xen-devel] [PATCH] x86/HVM: avoid pointer wraparound in bufioreq handling

To: "Paul Durrant" <Paul.Durrant@xxxxxxxxxx>

From: "Jan Beulich" <JBeulich@xxxxxxxx>

Date: Tue, 16 Jun 2015 10:29:45 +0100

Cc: Wei Liu <wei.liu2@xxxxxxxxxx>, Ian Campbell <Ian.Campbell@xxxxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Stefano Stabellini <Stefano.Stabellini@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "Keir \(Xen.org\)" <keir@xxxxxxx>

Delivery-date: Tue, 16 Jun 2015 09:29:51 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 16.06.15 at 11:15, <Paul.Durrant@xxxxxxxxxx> wrote: >> -----Original Message----- >> From: Ian Campbell [mailto:ian.campbell@xxxxxxxxxx] >> Sent: 16 June 2015 10:00 >> To: Jan Beulich >> Cc: Andrew Cooper; Wei Liu; Ian Jackson; Stefano Stabellini; xen-devel; Keir >> (Xen.org); Paul Durrant >> Subject: Re: [Xen-devel] [PATCH] x86/HVM: avoid pointer wraparound in >> bufioreq handling >> >> On Tue, 2015-06-16 at 09:37 +0100, Jan Beulich wrote: >> > >>> On 16.06.15 at 10:20, <ian.campbell@xxxxxxxxxx> wrote: >> > > On Tue, 2015-06-16 at 07:44 +0100, Jan Beulich wrote: >> > >> >>> On 15.06.15 at 16:30, <JBeulich@xxxxxxxx> wrote: >> > >> > The number of slots per page being 511 (i.e. not a power of two) >> means >> > >> > that the (32-bit) read and write indexes going beyond 2^32 will likely >> > >> > disturb operation. Extend I/O req server creation so the caller can >> > >> > indicate that it is using suitable atomic accesses where needed (not >> > >> > all accesses to the two pointers really need to be atomic), allowing >> > >> > the hypervisor to atomically canonicalize both pointers when both >> have >> > >> > gone through at least one cycle. >> > >> > >> > >> > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> >> > >> >> > >> No matter that it's just a single line change, I realized that I >> > >> forgot to Cc the tools maintainers. While a v2 will be needed (see >> > >> the reply just sent to Andrew) I'd still appreciate input (if any) to >> > >> limit the number of revisions needed. >> > > >> > > For such a simple toolstack side change which just reflects the >> > > underlying hcall interface I have no real opinion so far as the tools >> > > side goes, but it would be good to update the comments in xenctrl.h too. >> > > With that done for the tools change: >> > > Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx> >> > >> > Thanks. The request for feedback went beyond the request for >> > an ack though, namely >> > >> > TBD: Do we need to be worried about non-libxc users of the changed >> > (tools only) interface? >> >> It's (currently at least) a declared non-stable API, so in principal no. >> It would be polite to give a heads up to the expected potential users >> though, which you've done by CCing the QEMU maintainers I think. Adding >> Paul D for completeness though. > > From my reading, both QEMU upstream and trad are safe. They use a loop of > the form: > > while (read_ptr != write_ptr) > { > do stuff > > read_ptr += (handled a qword) ? 2 : 1; > } > > So, since the only test is for equality I think overflow should be handled > correctly. So, does anything actually need to be fixed? Of course this needs to be fixed: When either pointer crosses the 2^32 boundary, the slot referenced goes from 0x1f to 0 (due to the "modulo 511" operation determining the slot to be used), introducing a discontinuity and potentially corrupting data in slots not consumed yet. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.