Xen project Mailing List

Re: [PATCH 1/1] x86/ept: Fix buggy XSA-321 backport

To: "M. Vefa Bicakci" <m.v.b@xxxxxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Tue, 16 Feb 2021 10:20:03 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=50rRlYd/WoiMQgu4iiiur1BQeY/ousyczYTvbIpF768=; b=nz2kxoip8k4GLukuK3bUNCBYXitvMusJGRw7pYLrI21CHJ3VSgMQB8kS5xi+JTlzYY0pI1dlNCeOmjgTbCE/JbBMHFNshd+aIX/yfQdNOlY6pG3EPVHOHPwykaK/3cOY+0TNsUn9ppAT1ocdldk34vFLkufrzoz+5zCLU0NgIXpnRRm2ruqNUtQgSO5zIojvAf3jKIvZfLUH1/uzXkUAfaMgttkkd6ekyhfy3xOx9BWYVIPTx8p6s9vJ0lamgjNrzgz1oCuXP+zBFUyGhFD6BZMiX4Nflxz5xMyWyCHeVI8AEwps6eu18CLBdE2DqntAiew6FmbVKvhUsgSi6bnrYQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ie2mLSSOeyTBPFRAA379GPwMFv6CXETEvmwD9NdXUFKjQSCZ0p8mepDPO+GKs202aLj6ehLbTjD5NaaEX6hpzlU7NrDV1S+IkorfzW6/bpANTSDf2L4aDefODPgmIvyJGh7+4J225nOBbhe6J9mRoYUJ63PqesUInsXJ0Y/So7DDQuzQ6lXMbUD4nBY4dsRUgOEPcB/x8SoSuJEDIzc/tNuOGNpBgRfrjFZZMu/y18iUYgpSrL5bt5lGrRgpBircHIfs8cjXm3kUPVyhrO/6XOvj6ZE6ecZ7UWAYRRPFNiZkz9ZP4nNvadlkZP1G9NOT0FAoo/qo56sg5j1bz53Zlw==

Authentication-results: esa3.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com

Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, <jbeulich@xxxxxxxx>

Delivery-date: Tue, 16 Feb 2021 09:20:33 +0000

Ironport-sdr: Xa+BZGwjOPasIgjxqnc/Hjm6KXxWJCq/YbZRo3P9rYitOgXeR87TxVTgvjhRiGvv5oe8GPEbso 8bzBJ/ujWd2t+0126MruvFyMiM9VaI4HQHd7D5m6FVQj8jTdb59JFbfFAgPVKO+WbZt7N9Q4Qa i1vy1hFBEmssxJKEvcshqP34cYj+jh0+F+985b4+4ZhiBNQrdchqsw4OjV4aplKUzhDN+Uzhcc wjoLno8ulbr7e30IOj+cjTxp0YJXlnYtO6O5xwgS7ayyYLE04pnJHkGIO1S4tRo+atAraXmxHn wwI=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Feb 15, 2021 at 06:46:19PM -0500, M. Vefa Bicakci wrote: > This commit aims to fix commit a852040fe3ab ("x86/ept: flush cache when > modifying PTEs and sharing page tables"). The aforementioned commit is > for the stable-4.9 branch of Xen and is a backported version of commit > c23274fd0412 ("x86/ept: flush cache when modifying PTEs and sharing page > tables"), which was for Xen 4.14.0-rc5 and which fixes the security > issue reported by XSA-321. > > Prior to the latter commit, the function atomic_write_ept_entry in Xen > 4.14.y consisted mostly of a call to p2m_entry_modify followed by an > atomic replacement of a page table entry, and the latter commit adds > a call to iommu_sync_cache for a specific condition: > > static int atomic_write_ept_entry(struct p2m_domain *p2m, > ept_entry_t *entryptr, ept_entry_t new, > int level) > { > int rc = p2m_entry_modify(p2m, new.sa_p2mt, entryptr->sa_p2mt, > _mfn(new.mfn), _mfn(entryptr->mfn), level + > 1); > > if ( rc ) > return rc; > > write_atomic(&entryptr->epte, new.epte); > > + /* snipped comment block */ > + if ( !new.recalc && iommu_use_hap_pt(p2m->domain) ) > + iommu_sync_cache(entryptr, sizeof(*entryptr)); > + > return 0; > } > > However, the backport to Xen 4.9.y is a bit different because > atomic_write_ept_entry does not consist solely of a call to > p2m_entry_modify, which does not exist in Xen 4.9.y. I am quoting from > Xen 4.8.y for convenience: > > static int atomic_write_ept_entry(ept_entry_t *entryptr, ept_entry_t new, > int level) > { > int rc; > unsigned long oldmfn = mfn_x(INVALID_MFN); > bool_t check_foreign = (new.mfn != entryptr->mfn || > new.sa_p2mt != entryptr->sa_p2mt); > > if ( level ) > { > ASSERT(!is_epte_superpage(&new) || !p2m_is_foreign(new.sa_p2mt)); > write_atomic(&entryptr->epte, new.epte); > return 0; > } > > if ( unlikely(p2m_is_foreign(new.sa_p2mt)) ) > { > rc = -EINVAL; > if ( !is_epte_present(&new) ) > goto out; > > if ( check_foreign ) > { > struct domain *fdom; > > if ( !mfn_valid(new.mfn) ) > goto out; > > rc = -ESRCH; > fdom = page_get_owner(mfn_to_page(new.mfn)); > if ( fdom == NULL ) > goto out; > > /* get refcount on the page */ > rc = -EBUSY; > if ( !get_page(mfn_to_page(new.mfn), fdom) ) > goto out; > } > } > > if ( unlikely(p2m_is_foreign(entryptr->sa_p2mt)) && check_foreign ) > oldmfn = entryptr->mfn; > > write_atomic(&entryptr->epte, new.epte); > > + /* snipped comment block */ > + if ( !new.recalc && iommu_hap_pt_share ) > + iommu_sync_cache(entryptr, sizeof(*entryptr)); > + > if ( unlikely(oldmfn != mfn_x(INVALID_MFN)) ) > put_page(mfn_to_page(oldmfn)); > > rc = 0; > > out: > if ( rc ) > gdprintk(XENLOG_ERR, "epte o:%"PRIx64" n:%"PRIx64" rc:%d\n", > entryptr->epte, new.epte, rc); > return rc; > } > > Based on inspection of the p2m_entry_modify function in Xen 4.14.1, it > appears that the part of atomic_write_ept_entry above the call to > write_atomic is encapsulated by p2m_entry_modify, which uncovers one > issue with the backport: In Xen 4.14, if p2m_entry_modify returns early > without an error, then the calls to write_atomic and iommu_sync_cache > will still occur (assuming that the corresponding if condition is > satisfied), whereas in Xen 4.9.y, there is a code path that can skip the > call to iommu_sync_cache, in case the variable level is not zero: > > if ( level ) > { > ASSERT(!is_epte_superpage(&new) || !p2m_is_foreign(new.sa_p2mt)); > write_atomic(&entryptr->epte, new.epte); > return 0; > } > > This patch reorganizes the atomic_write_ept_entry to ensure that the > call to iommu_sync_cache is not inadvertently skipped. IMO this is likely too much change in a single patch, iff we really wanted to do this you should have a pre-patch that re-arranges the code without any functional change followed by a patch that fixes the issue. In any case I think this is too much change, so I would go for a smaller fix like my proposal below. Can you please test it? > Furthermore, in Xen 4.14.1, p2m_entry_modify calls > > put_page(mfn_to_page(oldmfn)); > > before the potential call to iommu_sync_cache in atomic_write_ept_entry. > I am not sufficiently familiar with Xen to determine if this is a > significant behavioural change, but this patch makes Xen 4.9.y similar > to Xen 4.14.1 in that regard as well, by further re-organizing the code > in atomic_write_ept_entry. Well, that put_page is only relevant to PVH dom0, but you shouldn't remove it. The put_page call in newer versions has been moved by commit ce0224bf96a1a1f82 into p2m_entry_modify. Here is my proposed fix, I think we could even do away with the else branch, but if level is != 0 p2m_is_foreign should be false, so we avoid an extra check. Thanks, Roger. ---8<--- diff --git a/xen/arch/x86/mm/p2m-ept.c b/xen/arch/x86/mm/p2m-ept.c index 036771f43c..086739ffdd 100644 --- a/xen/arch/x86/mm/p2m-ept.c +++ b/xen/arch/x86/mm/p2m-ept.c @@ -56,11 +56,8 @@ static int atomic_write_ept_entry(ept_entry_t *entryptr, ept_entry_t new, if ( level ) { ASSERT(!is_epte_superpage(&new) || !p2m_is_foreign(new.sa_p2mt)); - write_atomic(&entryptr->epte, new.epte); - return 0; } - - if ( unlikely(p2m_is_foreign(new.sa_p2mt)) ) + else if ( unlikely(p2m_is_foreign(new.sa_p2mt)) ) { rc = -EINVAL; if ( !is_epte_present(&new) )

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.