From mboxrd@z Thu Jan  1 00:00:00 1970
From: George Dunlap <george.dunlap@eu.citrix.com>
Subject: Re: [PATCH v2] xen/arm: Correctly handle non-page
 aligned pointer in raw_copy_from_guest
Date: Tue, 18 Feb 2014 17:10:13 +0000
Message-ID: <530393F5.2010501@eu.citrix.com>
References: <1392742577-3052-1-git-send-email-julien.grall@linaro.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <George.Dunlap@citrix.com>) id 1WFoBY-0007ss-4I
	for xen-devel@lists.xenproject.org; Tue, 18 Feb 2014 17:10:20 +0000
In-Reply-To: <1392742577-3052-1-git-send-email-julien.grall@linaro.org>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Julien Grall <julien.grall@linaro.org>, xen-devel@lists.xenproject.org
Cc: stefano.stabellini@citrix.com, tim@xen.org, ian.campbell@citrix.com, George Dunlap <george.dunlap@citrix.com>
List-Id: xen-devel@lists.xenproject.org

On 02/18/2014 04:56 PM, Julien Grall wrote:
> The current implementation of raw_copy_guest helper may lead to data corruption
> and sometimes Xen crash when the guest virtual address is not aligned to
> PAGE_SIZE.
>
> When the total length is higher than a page, the length to read is badly
> compute with
>      min(len, (unsigned)(PAGE_SIZE - offset))
>
> As the offset is only computed one time per function, if the start address was
> not aligned to PAGE_SIZE, we can end up in same iteration:
>      - to read accross page boundary => xen crash
>      - read the previous page => data corruption
>
> This issue can be resolved by setting offset to 0 at the end of the first
> iteration. Indeed, after it, the virtual guest address is always aligned
> to PAGE_SIZE.
>
> Signed-off-by: Julien Grall <julien.grall@linaro.org>
> Cc: George Dunlap <george.dunlap@citrix.com>
>
> ---
>      This patch is a bug fix for Xen 4.4. Without this patch the data may be
>      corrupted when Xen is copied data from the guest if the guest virtual
>      address is not aligned to PAGE_SIZE. Sometimes it can also crash Xen.
>
>      This function is used in numerous place in Xen. If it introduces another
>      bug we can see quickly with small amount of data.

Release-acked-by: George Dunlap <george.dunlap@eu.citrix.com>

>
>      Changes in v2:
>          - Only raw_copy_from_guest is buggy, the other raw_copy_*
>          helpers where safe because of the "offset = 0" at the end of the loop
>          - Update commit message and title
> ---
>   xen/arch/arm/guestcopy.c |    5 +++++
>   1 file changed, 5 insertions(+)
>
> diff --git a/xen/arch/arm/guestcopy.c b/xen/arch/arm/guestcopy.c
> index af0af6b..715bb4e 100644
> --- a/xen/arch/arm/guestcopy.c
> +++ b/xen/arch/arm/guestcopy.c
> @@ -96,6 +96,11 @@ unsigned long raw_copy_from_guest(void *to, const void __user *from, unsigned le
>           len -= size;
>           from += size;
>           to += size;
> +        /*
> +         * After the first iteration, guest virtual address is correctly
> +         * aligned to PAGE_SIZE.
> +         */
> +        offset = 0;
>       }
>       return 0;
>   }