[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/3] x86/boot: Fix microcode module handling during PVH boot


  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 23 Oct 2024 08:17:12 -0400
  • Arc-authentication-results: i=1; mx.zohomail.com; dkim=pass header.i=apertussolutions.com; spf=pass smtp.mailfrom=dpsmith@xxxxxxxxxxxxxxxxxxxx; dmarc=pass header.from=<dpsmith@xxxxxxxxxxxxxxxxxxxx>
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1729685836; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=mtKcHRm9zMX9jcImlJ/4YOoL214/MVZzhYhb6tm+M1w=; b=ZfErIBh91ltkuUXvbmUsPfECzXNqk60lkcq0laxVvC9w7mmLLbWpOoX+OWnWuSwY9N/0ZHoZ5qzjwWJLNEo/ktDte7vEk2tEiOkPL3cROVwbCDkHpALJojliDilrTa8Ty9KhHrPyEka5vgA645nx5OzOx+86oHD+2O84N14Fku8=
  • Arc-seal: i=1; a=rsa-sha256; t=1729685836; cv=none; d=zohomail.com; s=zohoarc; b=UdljNj+7Y/qbVoM/qSko+osKK/+7RkzDet813pKjw3VJ+lBFFwBmKAMryJmBC2nGDn7VkIoSjQGD288GcbGNIeBGPSlRJ/OcnsLPBMtYtZNiLvYGF8QfEi6p28gJ7B0eRxFOpOouAWyCVxY/t53pPaKHsMLSiOKIlG2peCs/Fhs=
  • Cc: Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Wed, 23 Oct 2024 12:17:43 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 10/23/24 06:57, Andrew Cooper wrote:
From: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>

As detailed in commit 0fe607b2a144 ("x86/boot: Fix PVH boot during boot_info
transition period"), the use of __va(mbi->mods_addr) constitutes a
use-after-free on the PVH boot path.

This pattern has been in use since before PVH support was added.  Inside a PVH
VM, it will go unnoticed as long as the microcode container parser doesn't
choke on the random data it finds.

The use within early_microcode_init() happens to be safe because it's prior to
move_xen().  microcode_init_cache() is after move_xen(), and therefore unsafe.

Plumb the boot_info pointer down, replacing module_map and mbi.  Importantly,
bi->mods[].mod is a safe way to access the module list during PVH boot.

Note: microcode_scan_module() is still bogusly stashing a bootstrap_map()'d
       pointer in ucode_blob.data, which constitutes a different
       use-after-free, and only works in general because of a second bug.  This
       is unrelated to PVH, and needs untangling differently.

Signed-off-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Jan Beulich <JBeulich@xxxxxxxx>
CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
CC: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>

Reviewed-by: Daniel P. Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.