[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [PATCH v5 01/18] xen/pmstat: guard perf.states[] access with XEN_PX_INIT

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: "Penny, Zheng" <penny.zheng@xxxxxxx>
  • Date: Tue, 17 Jun 2025 03:37:59 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=amd.com; dmarc=pass action=none header.from=amd.com; dkim=pass header.d=amd.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kfvLFk/btPx6m9wR5ht99Ql3XsUA6L4ajjpm7UMn3z8=; b=pUyxhK2SrG7MaU52lBVtpA7DDRkhLAMOfPoOG0URrhvBNxdx0MWpi6lLNiZTMysTIvqy74Bn4TrUdlQ3wrBqXceVDXN5BmGQf0YWTT4e5I9oPurymUfTRM4X+SA3dzx2NCDFC5nY1dXY7j72LcBxfYlKqx3XVedzKI6llx/gRoo0Cuh830wfugzeST9901XSfgdSuebDgVBMZ8DJv+ETEnQqQNxzu7Dmpnn87D/LpdjJEIEmoyEoViQ0b4A4gAOQh9C4k8HzYXuayp5n30iBjooGPmbQRFmJouxMXwzZ/RAwZxwquACfea1gnjcmNlc/+Z8E2kY/4e4BRoZpb0aqfg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=hR+oWidaK1bzdmlL4LDkbvE57h6nlyvuJFGEZ/UGlrMvL6gzV/StOEcAjT/Yaa0V8I3oe0VHBgVZPyO75iJdT+H/rJlo3y82jI2RhrC+7uapyRz1RHr/JZec5AF0pjOXGDkBs/9JfvCyP3K++iE4wZ1CT9dFxaLH7LV6J1iKLXOJg8HSC65BxqiS1tWSP+WiGlcaVEWEaEf77HdlrUcbvD+vTIo+e5P4CtXJzA82m+zC9Xbkw4pC8Z/qTZjfyFweYgXPCKUp+SEVFvwzULr6+S9rx2C+mc3EU0mnc+W3LCYr05XpNAtUZVhhYTLFsmUw/mv9IcbnU1TPUtt7Bo/xlA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=amd.com;
  • Cc: "Huang, Ray" <Ray.Huang@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Tue, 17 Jun 2025 03:38:22 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Msip_labels: MSIP_Label_f265efc6-e181-49d6-80f4-fae95cf838a0_Enabled=True;MSIP_Label_f265efc6-e181-49d6-80f4-fae95cf838a0_SiteId=3dd8961f-e488-4e60-8e11-a82d994e183d;MSIP_Label_f265efc6-e181-49d6-80f4-fae95cf838a0_SetDate=2025-06-17T03:37:51.0000000Z;MSIP_Label_f265efc6-e181-49d6-80f4-fae95cf838a0_Name=Open Source;MSIP_Label_f265efc6-e181-49d6-80f4-fae95cf838a0_ContentBits=3;MSIP_Label_f265efc6-e181-49d6-80f4-fae95cf838a0_Method=Privileged
  • Thread-index: AQHbzuQ5KDq5M5MbdEiyL/UuBwqBb7P+KsSAgALCz6CABLMkgIABL2Ig
  • Thread-topic: [PATCH v5 01/18] xen/pmstat: guard perf.states[] access with XEN_PX_INIT
[Public]

> -----Original Message-----
> From: Jan Beulich <jbeulich@xxxxxxxx>
> Sent: Monday, June 16, 2025 5:16 PM
> To: Penny, Zheng <penny.zheng@xxxxxxx>
> Cc: Huang, Ray <Ray.Huang@xxxxxxx>; xen-devel@xxxxxxxxxxxxxxxxxxxx
> Subject: Re: [PATCH v5 01/18] xen/pmstat: guard perf.states[] access with
> XEN_PX_INIT
>
> On 16.06.2025 11:05, Penny, Zheng wrote:
> > [Public]
> >
> >> -----Original Message-----
> >> From: Jan Beulich <jbeulich@xxxxxxxx>
> >> Sent: Wednesday, June 11, 2025 11:20 PM
> >> To: Penny, Zheng <penny.zheng@xxxxxxx>
> >> Cc: Huang, Ray <Ray.Huang@xxxxxxx>; xen-devel@xxxxxxxxxxxxxxxxxxxx
> >> Subject: Re: [PATCH v5 01/18] xen/pmstat: guard perf.states[] access
> >> with XEN_PX_INIT
> >>
> >> On 27.05.2025 10:48, Penny Zheng wrote:
> >>> Accessing to perf.states[] array shall not be only guarded with
> >>> user-defined hypercall input, so we add XEN_PX_INIT check to gain safety.
> >>
> >> What is "guarded with user-defined hypercall input"? And what safety
> >> are we lacking?
> >>
> >>> --- a/xen/drivers/acpi/pmstat.c
> >>> +++ b/xen/drivers/acpi/pmstat.c
> >>> @@ -228,10 +228,13 @@ static int get_cpufreq_para(struct
> >>> xen_sysctl_pm_op
> >> *op)
> >>>      ret = copy_to_guest(op->u.get_para.affected_cpus,
> >>>                          data, op->u.get_para.cpu_num);
> >>>
> >>> -    for ( i = 0; i < op->u.get_para.freq_num; i++ )
> >>> -        data[i] = pmpt->perf.states[i].core_frequency * 1000;
> >>> -    ret += copy_to_guest(op->u.get_para.scaling_available_frequencies,
> >>> -                         data, op->u.get_para.freq_num);
> >>> +    if ( pmpt->perf.init & XEN_PX_INIT )
> >>> +    {
> >>> +        for ( i = 0; i < op->u.get_para.freq_num; i++ )
> >>> +            data[i] = pmpt->perf.states[i].core_frequency * 1000;
> >>> +        ret += 
> >>> copy_to_guest(op->u.get_para.scaling_available_frequencies,
> >>> +                             data, op->u.get_para.freq_num);
> >>> +    }
> >>
> >> Going from just the code change: You want to avoid copying out
> >> frequency values when none have been reported? But when none have
> >> been reported, isn't pmpt-
> >>> perf.state_count (against which op->u.get_para.freq_num was
> >> validated) simply going to be 0? If not, how would callers know that
> >> no data was handed back to them?
> >
> > I may misunderstand what you've commented on v4 patch "tools/xenpm:
> > Print CPPC parameters for amd-cppc driver", quoting the discussion there, "
> > This looks questionable all on its own. Where is it that ->perf.states
> > allocation is being avoided? I first thought it might be patch 06
> > which is related, but that doesn't look to be it. In any event further
> > down from here there is
> >
> >     for ( i = 0; i < op->u.get_para.freq_num; i++ )
> >         data[i] = pmpt->perf.states[i].core_frequency * 1000;
> >
> > i.e. an access to the array solely based on hypercall input.
> > "
> > I thought we were indicating a scenario, user accidentally writes the
> > "op->u.get_para.freq_num ", and it leads to accessing out-of-range
> > array slot in CPPC mode. That's the reason why I added this guard
>
> Well, it's not an out-of-range access, but a NULL deref, but yes, the concern 
> voiced
> there is related. But that can't be done in an isolated patch, it makes sense 
> only
> together with the change to the if() that I did comment on. And even then if 
> it is
> guaranteed that perf.state_count is always 0 when perf.states is NULL, we'd 
> be fine
> without any change. Yet this latter aspect goes back to the question I had 
> raised
> there: "Where is it that ->perf.states allocation is being avoided?"
>

->perf.states is allocated in set_px_pminfo(), which is a px-specific function.
In the caller of set_px_pminfo(), we have assertion 
"ASSERT(!(xen_processor_pmbits & XEN_PROCESSOR_PM_CPPC));"
to ensure it will not be invoked in CPPC mode.

Answering" And even then if it is  guaranteed that perf.state_count is always 0 
when perf.states is NULL", maybe we shall add another check
in the very beginning of get_cpufreq_para():
```
if ( !pmpt || ((pmpt->init & XEN_PX_INIT) && !pmpt->perf.states) || 
((pmpt->init & XEN_CPPC_INIT) && pmpt->perf.state_count))
```
We are ensuring in CPPC mode, ->perf.state_count must be zero, then 
op->u.get_para.freq_num is validated against it, we will
never enter into the loop...

And if we're okay with above change, right, it shall not be done in an isolated 
patch, and it shall be added only together with the change to the if()

> > Buit as you said at the very beginning,  op->u.get_para.freq_num is 
> > validated
> against pmpt->perf.state_count, so ig the above scenario will not happen, 
> I'll delete
> this commit.
>
> Not sure yet whether deleting is the right course of action.
>
> Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.