[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] x86/vPIT: check/bound values loaded from state save record

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 11 May 2023 13:50:05 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CPKJcU9yyCNN6ui7J+8QrolkEQPO4ronoUMXEO9IIrk=; b=Ph4VuLBqed1csXbbMLSP0QEKTCVFLiUVlxCUnio6stHdMazNLMjfuTokJtRfwiPgdfEf25EOAhEHnjruS5rh4qlnKcF2FUQaPtOhuqVp+wokctjPn0To7DKux92EpQ0nUVd3nnWDO4dzvn/471INROuQNr9YuWHSXjelRgBmaVhFhtkVc+XU30yMi+4ApfHqwoqUmZCX0RrAuWt/woCQqPeAuKnjLS81OP+4VLoOhMaq7wdKl8Z5EEYT3W59o4gPP3xRa1HMc0kVQzBQ5boQgMe4XMAGz73TXwewz1WfBHkfTpIuiDWk3Ntvv2rEnqdzXvWahEyUaosOPApALSYsYw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J1KmYhuK6+4o5gPuLjsva2MWNG5hPQ5LeNK+kKqI8tuK+xmI9R8NIXZD4FXxDDyAMpteA5Jix91NYmHf/soN74UUGGuMoP9OJeIbtan5wHfCYduf7VFybucR7KdjavFkYHM8UucUOOEZrxb4qU4EnY3V8r/o1lphqzau+Q+gW/8sRymsHpINMXU2hW8IN6MBN6oDNkFm9AnDVw0zTqEWEcqYjd19IKE1rXJM3CVTgsdQ/SGx29KY1KGRekJRy/PpTnSGhd6OSatBIci9gvn8OE8gpps/T4fDAe/NXYlUICUlGLJpsaLBy3nzr6aBTiJLSaMvuuOG2Bjnykda7KX6UQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Thu, 11 May 2023 11:50:19 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
In particular pit_latch_status() and speaker_ioport_read() perform
calculations which assume in-bounds values. Several of the state save
record fields can hold wider ranges, though.

Note that ->gate should only be possible to be zero for channel 2;
enforce that as well.

Adjust pit_reset()'s writing of ->mode as well, to not unduly affect
the value pit_latch_status() may calculate. The chosen mode of 7 is
still one which cannot be established by writing the control word.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
Of course an alternative would be to simply reject state save records
with out of bounds values.

--- a/xen/arch/x86/emul-i8254.c
+++ b/xen/arch/x86/emul-i8254.c
@@ -47,6 +47,7 @@
 #define RW_STATE_MSB 2
 #define RW_STATE_WORD0 3
 #define RW_STATE_WORD1 4
+#define RW_STATE_NUM 5
 
 static int cf_check handle_pit_io(
     int dir, unsigned int port, unsigned int bytes, uint32_t *val);
@@ -426,6 +427,33 @@ static int cf_check pit_load(struct doma
     }
     
     /*
+     * Convert loaded values to be within valid range, for them to represent
+     * actually reachable state.  Uses of some of the values elsewhere assume
+     * this is the case.
+     */
+    for ( i = 0; i < ARRAY_SIZE(pit->hw.channels); ++i )
+    {
+        struct hvm_hw_pit_channel *ch = &pit->hw.channels[i];
+
+        /* pit_load_count() will convert 0 suitably back to 0x10000. */
+        ch->count &= 0xffff;
+        if ( ch->count_latched >= RW_STATE_NUM )
+            ch->count_latched = 0;
+        if ( ch->read_state >= RW_STATE_NUM )
+            ch->read_state = 0;
+        if ( ch->read_state >= RW_STATE_NUM )
+            ch->write_state = 0;
+        if ( ch->rw_mode > RW_STATE_WORD0 )
+            ch->rw_mode = 0;
+        if ( (ch->mode &= 7) > 5 )
+            ch->mode -= 4;
+        ch->bcd = !!ch->bcd;
+        ch->gate = i != 2 || ch->gate;
+    }
+
+    pit->hw.speaker_data_on = !!pit->hw.speaker_data_on;
+
+    /*
      * Recreate platform timers from hardware state.  There will be some 
      * time jitter here, but the wall-clock will have jumped massively, so 
      * we hope the guest can handle it.
@@ -464,7 +492,7 @@ void pit_reset(struct domain *d)
     for ( i = 0; i < 3; i++ )
     {
         s = &pit->hw.channels[i];
-        s->mode = 0xff; /* the init mode */
+        s->mode = 7; /* the init mode */
         s->gate = (i != 2);
         pit_load_count(pit, i, 0);
     }

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.