[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] xen: grant-table: Check truncation when giving access to a frame

To: Julien Grall <julien.grall@xxxxxxx>, <boris.ostrovsky@xxxxxxxxxx>, <david.vrabel@xxxxxxxxxx>, <jgross@xxxxxxxx>, <sstabellini@xxxxxxxxxx>, <konrad.wilk@xxxxxxxxxx>
From: David Vrabel <david.vrabel@xxxxxxxxxx>
Date: Mon, 13 Jun 2016 11:57:28 +0100
Cc: andrew.cooper3@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, JBeulich@xxxxxxxx, steve.capper@xxxxxxx
Delivery-date: Mon, 13 Jun 2016 10:57:41 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 13/06/16 11:50, Julien Grall wrote:
> The version 1 of the grant-table protocol only supports frame encoded on
> 32-bit.
> 
> When the platform is supporting 48-bit physical address, the frame will
> be encoded on 36-bit which will lead a truncation and give access to
> the wrong frame.
> 
> On ARM Xen will always allow the guest to use all the physical address,
> although today the RAM is always located under 40-bits (see
> xen/include/public/arch-arm.h).
> 
> Add a truncation check in gnttab_update_entry_v1 to prevent the guest to
> give access to the wrong frame.

In hindsight, we shouldn't have dropped the V2 support from Linux.
Should we reinstate it?

David

> Signed-off-by: Julien Grall <julien.grall@xxxxxxx>
> 
> ---
>     This is limiting us to a 44-bit address space whilst ARM can support
>     up to 48-bit today. This number of bit will increase to 52-bit in
>     upcoming processors [1].
> 
>     It might be good to start thinking to extend the version 1 of the
>     protocol to use 64-bit frame number.
> 
>     [1] 
> https://community.arm.com/groups/processors/blog/2016/01/05/armv8-a-architecture-evolution
> ---
>  drivers/xen/grant-table.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
> index bb36b1e..f47c2e99 100644
> --- a/drivers/xen/grant-table.c
> +++ b/drivers/xen/grant-table.c
> @@ -224,6 +224,13 @@ static void gnttab_update_entry_v1(grant_ref_t ref, 
> domid_t domid,
>  {
>       gnttab_shared.v1[ref].domid = domid;
>       gnttab_shared.v1[ref].frame = frame;
> +
> +     /*
> +      * V1 only supports 32-bit frame, check the truncation
> +      * to avoid giving access to the wrong frame.
> +      */
> +     BUG_ON(gnttab_shared.v1[ref].frame != frame);
> +
>       wmb();
>       gnttab_shared.v1[ref].flags = flags;
>  }
> 


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] xen: grant-table: Check truncation when giving access to a frame
  - From: Julien Grall

References:
- [Xen-devel] [PATCH] xen: grant-table: Check truncation when giving access to a frame
  - From: Julien Grall

Prev by Date: [Xen-devel] [PULL 2/2] Introduce "xen-load-devices-state"
Next by Date: Re: [Xen-devel] [PATCH 1/3] Don't accept fuzz when patching
Previous by thread: [Xen-devel] [PATCH] xen: grant-table: Check truncation when giving access to a frame
Next by thread: Re: [Xen-devel] [PATCH] xen: grant-table: Check truncation when giving access to a frame
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.