[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.18] x86/time: Fix UBSAN failure in __update_vcpu_system_time()

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 13 Nov 2023 10:19:09 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=MNTVy8uxJIwlYlPTIDqOvfT2fBv+NJBFheSi8uY64D0=; b=KD95FYJSAJjmOqyBHx6ptu1Be4brLzk08zD7pRDhvwUWbNMNGm6fn8Y2CdUCdsM5babYxsAlQbl+gjS+xGioP31NOPA89GLDXdD44mX5l0WNNPTK95HAmcym6Fu5q02fMobA+I9RyvdhjGr12lOzfEmHtZVBkgU41tryGktRLhzOuBYWcePo7zvty3/u27tiTU6fSZH2aWhvmvM99xhtEPsf0k7NINSDFMhf4Bb83vbfL85/gxeAvknbLzkbThYfU6lzdnfzoT+AiaOX3Q/lY2MA3jsDmJ3IkiMQqE1ekX5qvEUsXGTCSawzUZ8df7X1YhgtRgaJH+/tRQvN82/VAg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bEffV831n0xZBFcG74Eg2kT5P2UXknkkmkarENXIRh0rrWsBsWaELaslhsh0AFvr01noYxHGVznVMb9t/7Br5lEDIX3hz1kE2dUVc7fWQ6odgbkpQPdu9gBbtyDYzArMYnD0FmSifZwRdAJe/VsfazFkqOdZD9g7altcBNTYpL5th3U/b6N9a9StYUo1/fB/ZZ4jxW8ZQVIHlbe1V5dk6wcMCEXAGvsEmVIjuxuFVIkGJuRw+cetki0CEZAoIomeRELuRFoceru1SN57a1RRuwFaoT3wzfz5qpQ6x3nw/dDRpPjA3Ok7lCvGm85fG3AUQ0f1tnfFfujsbceHbOxkiA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 13 Nov 2023 09:19:34 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 02.11.2023 20:05, Andrew Cooper wrote:
> On 02/11/2023 8:33 am, Jan Beulich wrote:
>> Furthermore, if you deem this XSA-worthy despite the generated code not
>> resulting in any real misbehavior
> 
> ... we've issued XSAs for this class of issue before.  XSA-328 is the
> one I specifically remember, but I'm sure we've done others too.
> 
> In this case, an unprivileged guest can control the NULL-ness here, so
> if there's a practical consequence from the compiler then the guest can
> definitely tickle that consequence.
> 
> Alternatively, the security team could decide to change it's stance on
> this class of issues.
> 
>> , code patterns like
>> (found in free_heap_pages())
>>
>>             struct page_info *predecessor = pg - mask;
>>
>>             /* Merge with predecessor block? */
>>             if ( !mfn_valid(page_to_mfn(predecessor)) ||
>>
>> or (found in get_page_from_l1e())
>>
>>     struct page_info *page = mfn_to_page(_mfn(mfn));
>>     ...
>>     valid = mfn_valid(_mfn(mfn));
>>
>>     if ( !valid ||
>>
>> would be in the same class (access outside of array bounds), just that the
>> checker cannot spot those without producing false positives (simply because
>> it doesn't know frame_table[]'s bounds). We're fully aware of the existence
>> of such code, and we've decided to - if at all - only eliminate such cases
>> (slowly) as respective code is touched anyway.
> 
> I don't agree with describing these as the same class.  NULL deference
> is different to OoB, even if they overlap from an underlying mechanics
> point of view.
> 
> Nevertheless, I've raised that "valid" pattern with the security team
> before, and I would certainly prefer to express it differently.
> 
> But neither of them trigger UBSAN.  GCC can't see any wiggle room to
> potentially optimise, and I expect it's because __mfn_valid() is in an
> external call.
> 
> If we had working LTO, I'd be interested to see that alters the UBSAN
> determination or not.

I'm not convinced it takes as much as working LTO. With PDX_COMPRESSION=n
I question __mfn_valid() needing to be an out-of-line function. Converting
it (back) to an inline one would better not come with the risk of breaking
certain use sites.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.