 
	
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 4/4] x86/vLAPIC: avoid speculative out of bounds accesses
 On 04.07.2019 15:44, Andrew Cooper wrote:
> On 31/01/2019 14:27, Jan Beulich wrote:
>> Array indexes used in the MMIO and MSR read/write emulation functions
>> are derived from guest controlled values. Restrict their ranges to limit
>> the side effects of speculative execution.
>>
>> Remove the unused vlapic_lvt_{vector,dm}() instead of adjusting them.
>>
>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> 
> While they are all guest controlled, the MMIO side of things is on the
> end of a function pointer call, which has already determined that the
> access is within 4k.  I don't think there any safety concerns here.
I.e. are you suggesting there's no speculation through indirect
calls?
> guest_rdmsr_x2apic() does get values in the range 0x800...0xbff, so I
> think this is the only case which needs protecting.
What about vlapic_apicv_write(), which does get called directly?
And what about the vlapic_lvt_mask[] accesses?
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
 
 | 
|  | Lists.xenproject.org is hosted with RackSpace, monitoring our |