Re: [PATCH v2] x86/viridian: Add Partition Reference Time enlightenment

[Ian Campbell <ian.campbell@citrix.com>]

On Tue, 2014-10-14 at 10:56 +0100, Jan Beulich wrote:
> >>> On 14.10.14 at 09:45, <ian.campbell@citrix.com> wrote:
> > On Mon, 2014-10-13 at 09:10 +0100, Jan Beulich wrote:
> >> >>> On 10.10.14 at 18:36, <msw@linux.com> wrote:
> >> > On Mon, Sep 29, 2014 at 11:28:44AM +0100, Paul Durrant wrote:
> >> >> +    /*
> >> >> +     * The guest will calculate reference time according to the following
> >> >> +     * formula:
> >> >> +     *
> >> >> +     * ReferenceTime = ((RDTSC() * TscScale) >> 64) + TscOffset
> >> >> +     *
> >> >> +     * Windows uses a 100ns tick, so we need a scale which is cpu
> >> >> +     * ticks per 100ns shifted left by 64.
> >> >> +     */
> >> >> +    p->TscScale = ((10000ul << 32) / d->arch.tsc_khz) << 32;
> >> >> +
> >> >> +    do {
> >> >> +        p->TscSequence++;
> >> >> +    } while ( p->TscSequence == 0xFFFFFFFF ||
> >> >> +              p->TscSequence == 0 ); /* Avoid both 'invalid' values */
> >> > 
> >> > Anthony Liguori and I were looking this over today and he pointed
> >> > something out: couldn't a second vCPU of the guest write 0 or
> >> > 0xffffffff in a tight loop to cause a hypervisor DoS?
> >> 
> >> Yes, this is at least a theoretical issue that should be fixed. I don't
> >> think it's a practical issue though: I'd expect the compiler to eliminate
> >> the two reads of the field and instead directly use the result of the
> >> increment.
> > 
> > Wouldn't that just mean the attacker needs to write fffffffe or ffffffff
> > instead?
> 
> No. The effect of what I said would amount to
> 
> 	x = p->TscSequence;
> 	do {
> 		x++;
> 	} while ( !(x + 1) || !x )
> 	p->TscSequence = x;
> 
> (or something equivalent without using a loop).

Ah right. Perhaps it would better to write it that way and use some sort
of ACCESS_ONCE like macrot enforce it actually ends up that way rather
than rely on the vagaries of the compiler?