[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH SpectreV1+L1TF v6 1/9] xen/evtchn: block speculative out-of-bound accesses

To: <nmanthey@xxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Tue, 12 Feb 2019 06:08:52 -0700
Cc: Juergen Gross <jgross@xxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, wipawel@xxxxxxxxx, Julien Grall <julien.grall@xxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxxxx>, "Martin Mazein\(amazein\)" <amazein@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Julian Stecklina <jsteckli@xxxxxxxxx>, Bjoern Doebel <doebel@xxxxxxxxx>
Delivery-date: Tue, 12 Feb 2019 13:09:15 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 08.02.19 at 14:44, <nmanthey@xxxxxxxxx> wrote:
> @@ -813,6 +817,13 @@ int set_global_virq_handler(struct domain *d, uint32_t 
> virq)
>  
>      if (virq >= NR_VIRQS)
>          return -EINVAL;
> +
> +   /*
> +    * Make sure the guest controlled value virq is bounded even during
> +    * speculative execution.
> +    */
> +    virq = array_index_nospec(virq, ARRAY_SIZE(global_virq_handlers));
> +
>      if (!virq_is_global(virq))
>          return -EINVAL;

Didn't we agree earlier on that this addition is pointless, as the only
caller is the XEN_DOMCTL_set_virq_handler handler, and most
domctl-s (including this one) are excluded from security considerations
due to XSA-77?

> @@ -955,22 +967,22 @@ long evtchn_bind_vcpu(unsigned int port, unsigned int 
> vcpu_id)
>      {
>      case ECS_VIRQ:
>          if ( virq_is_global(chn->u.virq) )
> -            chn->notify_vcpu_id = vcpu_id;
> +            chn->notify_vcpu_id = v->vcpu_id;
>          else
>              rc = -EINVAL;
>          break;
>      case ECS_UNBOUND:
>      case ECS_INTERDOMAIN:
> -        chn->notify_vcpu_id = vcpu_id;
> +        chn->notify_vcpu_id = v->vcpu_id;
>          break;
>      case ECS_PIRQ:
> -        if ( chn->notify_vcpu_id == vcpu_id )
> +        if ( chn->notify_vcpu_id == v->vcpu_id )
>              break;
>          unlink_pirq_port(chn, d->vcpu[chn->notify_vcpu_id]);
> -        chn->notify_vcpu_id = vcpu_id;
> +        chn->notify_vcpu_id = v->vcpu_id;

Right now we understand why all of these changes are done, but
without a comment this is liable to be converted back as an
optimization down the road.

Everything else here looks fine to me now.

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH SpectreV1+L1TF v6 1/9] xen/evtchn: block speculative out-of-bound accesses
  - From: Norbert Manthey

References:
- Re: [Xen-devel] [PATCH SpectreV1+L1TF v5 5/9] nospec: introduce evaluate_nospec
  - From: Norbert Manthey
- [Xen-devel] SpectreV1+L1TF Patch Series v6
  - From: Norbert Manthey
- [Xen-devel] [PATCH SpectreV1+L1TF v6 1/9] xen/evtchn: block speculative out-of-bound accesses
  - From: Norbert Manthey

Prev by Date: Re: [Xen-devel] [PATCH for-4.12 V4] x86/altp2m: fix HVMOP_altp2m_set_domain_state race
Next by Date: Re: [Xen-devel] [PATCH SpectreV1+L1TF v6 2/9] x86/vioapic: block speculative out-of-bound accesses
Previous by thread: [Xen-devel] [PATCH SpectreV1+L1TF v6 1/9] xen/evtchn: block speculative out-of-bound accesses
Next by thread: Re: [Xen-devel] [PATCH SpectreV1+L1TF v6 1/9] xen/evtchn: block speculative out-of-bound accesses
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.