[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.22 1/2] xen/arm: validate IRQs before descriptor lookup


  • To: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
  • From: Mykola Kvach <xakep.amatop@xxxxxxxxx>
  • Date: Mon, 13 Jul 2026 13:46:27 +0300
  • Arc-authentication-results: i=1; mx.google.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=iDB3+p5lwzfbkaqoV1rncrIre3UWi97X1aaumaM+hLc=; fh=MCAliuBSvUc8sa0isdVtlFj4rb5YczShrJEG40DSQwA=; b=VkHG7odkItD1/bwErxduSs9qCMvJUs8EhZZJZ/gtN90KMSsnRQ+qS4IIJFSLTCWXjV o9EX1p1hmdYIaz6DUDdEBbO8S0N5Z0BGEdAICilKzoFVMcrfBI9d1GwWcR9MQgh/Dup7 zAkN24VNNhaJ/qMzw+g0VCav6rhXnR9pQo96c79SJJG5XPNIqUP8Uxp5FKlsNdjLe/W9 n0KEKLUiYhmeHSyzKpoA+541eXfDGbYJbMMfHnbTLJrNhxSUHSx7WdBSjALC/Xk7SF1i +xRct4xItYiUZn0hBesrYKRuhOyZXbZwKCs4pj7GOq0TsM9+5IHBTrNL80+pPHR954yA Vpkg==; darn=lists.xenproject.org
  • Arc-seal: i=1; a=rsa-sha256; t=1783939599; cv=none; d=google.com; s=arc-20260327; b=S2fh12dHQI2kWMFMH+i0VXoBMb91wKjf/LImJRFhzWowu4k5u/Bz3VUC/BoxyD9OcB 25wbmqtdmoSPgT1joesNrteUM2aSS8sJLiBgnb0GrpP5VP8e9k/TjfK3hwhyzVuwZAlB UPkR1KWYUFnXYkYdDaqqKWnYGq2UbXVFTkzUPghBGBoCzskrcOWPYeMc0NPaPEUxIZ0i zXf5k7kqSwMEcdSxPGr3vc9sEoXdku8c7yM1W6pA2lAPBV5sDNSAQu4JBS/+aDSTL0Gs wffwa6mnkD/Ur4I+JVrQdc+skbBgUiIurgZNNUST2xjZkCxxT+25gvM0FAERFRO6QStN O+Fg==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="Content-Transfer-Encoding:Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To:References:MIME-Version"
  • Cc: "Orzel, Michal" <michal.orzel@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Delivery-date: Mon, 13 Jul 2026 10:46:46 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Oleksii,

Thank you for the review.

On Mon, Jul 13, 2026 at 10:39 AM Oleksii Kurochko
<oleksii.kurochko@xxxxxxxxx> wrote:
>
>
>
> On 7/10/26 1:48 PM, Mykola Kvach wrote:
> > On Fri, Jul 10, 2026 at 12:44:44PM +0200, Orzel, Michal wrote:
> >> On a tangent note:
> >> I can see that you pushed quite a few "for-4.22" patches. We are 
> >> approaching the
> >> release, so afaict at this point we should only be taking crucial bug 
> >> fixes.
> >> Moreover, when sending "for-X" patches, please include a description with 
> >> your
> >> analyzed pros/cons of taking a patch in.
> >
> > Ack. I understand. For this patch specifically, I consider it a crucial
> > fix for 4.22 for the following reasons:
> >
> > Pros:
> > - It prevents an out-of-bounds irq_desc[] access which may corrupt Xen
> >    memory or crash the hypervisor.
> > - The issue was introduced by eSPI support already present in 4.22.
> > - The change is small, and valid IRQ handling remains unchanged.
> > - I tested CONFIG_GICV3_ESPI=y and CONFIG_GICV3_ESPI=n builds and
> >    reproduced the issue on FVP using a fake DT interrupt with reserved
> >    INTID 3000.
> >
> > Cons:
> > - The trigger requires either a malformed DT interrupt specifier, such
> >    as reserved INTID 3000, or an eSPI unsupported by the Xen build.
> > - The demonstrated failure used deliberate fault injection rather than
> >    a reported production failure.
> > - The patch adds validation to common Arm IRQ setup paths, although
> >    valid IRQs continue through the same path as before.
> >
> > Assessment:
> > The hypervisor memory-safety impact and the presence of the affected
> > eSPI code in 4.22 outweigh the limited regression risk.
> >
> > I will include this kind of pros/cons analysis with future for-X
> > submissions.
>
> It doesn't seem as critical. IIUC, exploiting this issue requires
> providing a malformed DT interrupt specifier. If the DT interrupt
> specifier is valid, the system should behave correctly.
>
> Given that we are very close to the release, I think it would be better
> to proceed without these changes. If the issue proves to be critical, we
> can backport the fixes afterward.

Okay, thanks.

What do you think about the second patch in this series? I believe it
is more critical. Unlike the first issue, it can be triggered with a
valid eSPI configuration: freeing a valid eSPI uses the raw INTID as
the bitmap index, causing an out-of-bounds access that may corrupt
memory.

Could it still be considered for 4.22?

Best regards,
Mykola



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.