From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>,
xen-devel <xen-devel@lists.xenproject.org>
Cc: Ian Campbell <Ian.Campbell@eu.citrix.com>,
Keir Fraser <keir@xen.org>, Tim Deegan <tim@xen.org>,
Ian Jackson <Ian.Jackson@eu.citrix.com>
Subject: Re: [PATCH] x86: (allow to) override LIST_POISON*
Date: Fri, 14 Nov 2014 14:55:59 +0000 [thread overview]
Message-ID: <546617FF.40206@citrix.com> (raw)
In-Reply-To: <546625590200007800047B7E@mail.emea.novell.com>
On 14/11/14 14:52, Jan Beulich wrote:
> Having these point into space not controlled by the hypervisor provides
> an unnecessary attack surface. Allow architectures to override them and
> utilize that override to make them non-canonical addresses (thus
> causing #GP rather than #PF when dereferenced).
>
> Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
> ---
> The security aspect of this makes Andrew and me think this should be
> considered for 4.5 despite it not fixing an actual bug.
>
> --- a/xen/include/asm-x86/config.h
> +++ b/xen/include/asm-x86/config.h
> @@ -106,6 +106,10 @@
> /* Return value for zero-size _xmalloc(), distinguished from NULL. */
> #define ZERO_BLOCK_PTR ((void *)0xBAD0BAD0BAD0BAD0UL)
>
> +/* Override include/xen/list.h to make these non-canonical addresses. */
> +#define LIST_POISON1 ((void *)0x0100100100100100UL)
> +#define LIST_POISON2 ((void *)0x0200200200200200UL)
> +
> #ifndef __ASSEMBLY__
> extern unsigned long trampoline_phys;
> #define bootsym_phys(sym) \
> --- a/xen/include/xen/list.h
> +++ b/xen/include/xen/list.h
> @@ -10,12 +10,15 @@
> #include <xen/lib.h>
> #include <asm/system.h>
>
> -/* These are non-NULL pointers that will result in page faults
> - * under normal circumstances, used to verify that nobody uses
> - * non-initialized list entries.
> +/*
> + * These are non-NULL pointers that will result in faults under normal
> + * circumstances, used to verify that nobody uses non-initialized list
> + * entries. Architectures can override these.
> */
> +#ifndef LIST_POISON1
> #define LIST_POISON1 ((void *) 0x00100100)
> #define LIST_POISON2 ((void *) 0x00200200)
> +#endif
>
> /*
> * Simple doubly linked list implementation.
>
>
>
prev parent reply other threads:[~2014-11-14 14:56 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-14 14:52 [PATCH] x86: (allow to) override LIST_POISON* Jan Beulich
2014-11-14 14:55 ` Andrew Cooper [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=546617FF.40206@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=Ian.Campbell@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.