From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH] x86: (allow to) override LIST_POISON*
Date: Fri, 14 Nov 2014 14:55:59 +0000
Message-ID: <546617FF.40206@citrix.com>
References: <546625590200007800047B7E@mail.emea.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta5.messagelabs.com ([195.245.231.135])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <Andrew.Cooper3@citrix.com>) id 1XpIIC-0003gN-4h
	for xen-devel@lists.xenproject.org; Fri, 14 Nov 2014 14:56:08 +0000
In-Reply-To: <546625590200007800047B7E@mail.emea.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>, xen-devel <xen-devel@lists.xenproject.org>
Cc: Ian Campbell <Ian.Campbell@eu.citrix.com>, Keir Fraser <keir@xen.org>, Tim Deegan <tim@xen.org>, Ian Jackson <Ian.Jackson@eu.citrix.com>
List-Id: xen-devel@lists.xenproject.org

On 14/11/14 14:52, Jan Beulich wrote:
> Having these point into space not controlled by the hypervisor provides
> an unnecessary attack surface. Allow architectures to override them and
> utilize that override to make them non-canonical addresses (thus
> causing #GP rather than #PF when dereferenced).
>
> Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

> ---
> The security aspect of this makes Andrew and me think this should be
> considered for 4.5 despite it not fixing an actual bug.
>
> --- a/xen/include/asm-x86/config.h
> +++ b/xen/include/asm-x86/config.h
> @@ -106,6 +106,10 @@
>  /* Return value for zero-size _xmalloc(), distinguished from NULL. */
>  #define ZERO_BLOCK_PTR ((void *)0xBAD0BAD0BAD0BAD0UL)
>  
> +/* Override include/xen/list.h to make these non-canonical addresses. */
> +#define LIST_POISON1  ((void *)0x0100100100100100UL)
> +#define LIST_POISON2  ((void *)0x0200200200200200UL)
> +
>  #ifndef __ASSEMBLY__
>  extern unsigned long trampoline_phys;
>  #define bootsym_phys(sym)                                 \
> --- a/xen/include/xen/list.h
> +++ b/xen/include/xen/list.h
> @@ -10,12 +10,15 @@
>  #include <xen/lib.h>
>  #include <asm/system.h>
>  
> -/* These are non-NULL pointers that will result in page faults
> - * under normal circumstances, used to verify that nobody uses
> - * non-initialized list entries.
> +/*
> + * These are non-NULL pointers that will result in faults under normal
> + * circumstances, used to verify that nobody uses non-initialized list
> + * entries. Architectures can override these.
>   */
> +#ifndef LIST_POISON1
>  #define LIST_POISON1  ((void *) 0x00100100)
>  #define LIST_POISON2  ((void *) 0x00200200)
> +#endif
>  
>  /*
>   * Simple doubly linked list implementation.
>
>
>