From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <ian.campbell@citrix.com>
Subject: Re: [PATCH v2] x86/viridian: Add Partition Reference
 Time enlightenment
Date: Tue, 14 Oct 2014 11:04:49 +0100
Message-ID: <1413281089.10417.21.camel@citrix.com>
References: <1411986524-5201-1-git-send-email-paul.durrant@citrix.com>
	<20141010163616.GA27670@u109add4315675089e695.ant.amazon.com>
	<543BA520020000780003E1B1@mail.emea.novell.com>
	<1413272731.1497.8.camel@citrix.com>
	<543D0F5A020000780003E9B8@mail.emea.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <543D0F5A020000780003E9B8@mail.emea.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>, Matt Wilson <msw@linux.com>, Christoph Egger <chegger@amazon.de>, Ian Jackson <ian.jackson@eu.citrix.com>, xen-devel@lists.xen.org, Paul Durrant <paul.durrant@citrix.com>, Anthony Liguori <anthony@codemonkey.ws>
List-Id: xen-devel@lists.xenproject.org

On Tue, 2014-10-14 at 10:56 +0100, Jan Beulich wrote:
> >>> On 14.10.14 at 09:45, <ian.campbell@citrix.com> wrote:
> > On Mon, 2014-10-13 at 09:10 +0100, Jan Beulich wrote:
> >> >>> On 10.10.14 at 18:36, <msw@linux.com> wrote:
> >> > On Mon, Sep 29, 2014 at 11:28:44AM +0100, Paul Durrant wrote:
> >> >> +    /*
> >> >> +     * The guest will calculate reference time according to the following
> >> >> +     * formula:
> >> >> +     *
> >> >> +     * ReferenceTime = ((RDTSC() * TscScale) >> 64) + TscOffset
> >> >> +     *
> >> >> +     * Windows uses a 100ns tick, so we need a scale which is cpu
> >> >> +     * ticks per 100ns shifted left by 64.
> >> >> +     */
> >> >> +    p->TscScale = ((10000ul << 32) / d->arch.tsc_khz) << 32;
> >> >> +
> >> >> +    do {
> >> >> +        p->TscSequence++;
> >> >> +    } while ( p->TscSequence == 0xFFFFFFFF ||
> >> >> +              p->TscSequence == 0 ); /* Avoid both 'invalid' values */
> >> > 
> >> > Anthony Liguori and I were looking this over today and he pointed
> >> > something out: couldn't a second vCPU of the guest write 0 or
> >> > 0xffffffff in a tight loop to cause a hypervisor DoS?
> >> 
> >> Yes, this is at least a theoretical issue that should be fixed. I don't
> >> think it's a practical issue though: I'd expect the compiler to eliminate
> >> the two reads of the field and instead directly use the result of the
> >> increment.
> > 
> > Wouldn't that just mean the attacker needs to write fffffffe or ffffffff
> > instead?
> 
> No. The effect of what I said would amount to
> 
> 	x = p->TscSequence;
> 	do {
> 		x++;
> 	} while ( !(x + 1) || !x )
> 	p->TscSequence = x;
> 
> (or something equivalent without using a loop).

Ah right. Perhaps it would better to write it that way and use some sort
of ACCESS_ONCE like macrot enforce it actually ends up that way rather
than rely on the vagaries of the compiler?