From: Andrew Cooper <andrew.cooper3@citrix.com>
To: "Roger Pau Monné" <roger.pau@citrix.com>
Cc: Xen-devel <xen-devel@lists.xenproject.org>,
"Daniel P. Smith" <dpsmith@apertussolutions.com>,
Jan Beulich <JBeulich@suse.com>
Subject: Re: [PATCH 2/3] x86/boot: Fix microcode module handling during PVH boot
Date: Wed, 23 Oct 2024 18:12:02 +0100 [thread overview]
Message-ID: <55b7ebb4-9d10-45ca-b357-fd91ef169ff0@citrix.com> (raw)
In-Reply-To: <Zxkr9il-X0hK2GFv@macbook.local>
On 23/10/2024 6:01 pm, Roger Pau Monné wrote:
> On Wed, Oct 23, 2024 at 11:57:55AM +0100, Andrew Cooper wrote:
>> From: "Daniel P. Smith" <dpsmith@apertussolutions.com>
>>
>> As detailed in commit 0fe607b2a144 ("x86/boot: Fix PVH boot during boot_info
>> transition period"), the use of __va(mbi->mods_addr) constitutes a
>> use-after-free on the PVH boot path.
>>
>> This pattern has been in use since before PVH support was added. Inside a PVH
>> VM, it will go unnoticed as long as the microcode container parser doesn't
>> choke on the random data it finds.
>>
>> The use within early_microcode_init() happens to be safe because it's prior to
>> move_xen(). microcode_init_cache() is after move_xen(), and therefore unsafe.
>>
>> Plumb the boot_info pointer down, replacing module_map and mbi. Importantly,
>> bi->mods[].mod is a safe way to access the module list during PVH boot.
>>
>> Note: microcode_scan_module() is still bogusly stashing a bootstrap_map()'d
>> pointer in ucode_blob.data, which constitutes a different
>> use-after-free, and only works in general because of a second bug. This
>> is unrelated to PVH, and needs untangling differently.
>>
>> Signed-off-by: Daniel P. Smith <dpsmith@apertussolutions.com>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> ---
>> CC: Jan Beulich <JBeulich@suse.com>
>> CC: Roger Pau Monné <roger.pau@citrix.com>
>> CC: Daniel P. Smith <dpsmith@apertussolutions.com>
>>
>> Refectored/extracted from the hyperlaunch series.
>>
>> There's no good Fixes tag for this, because it can't reasonably be "introduce
>> PVH", nor can the fix as-is reasonably be backported. If we want to fix the
>> bug in older trees, we need to plumb the mod pointer down alongside mbi.
>> ---
>> xen/arch/x86/cpu/microcode/core.c | 40 +++++++++++-----------------
>> xen/arch/x86/include/asm/microcode.h | 8 +++---
>> xen/arch/x86/setup.c | 4 +--
>> 3 files changed, 22 insertions(+), 30 deletions(-)
>>
>> diff --git a/xen/arch/x86/cpu/microcode/core.c b/xen/arch/x86/cpu/microcode/core.c
>> index 8564e4d2c94c..1d58cb0f3bc1 100644
>> --- a/xen/arch/x86/cpu/microcode/core.c
>> +++ b/xen/arch/x86/cpu/microcode/core.c
>> @@ -35,6 +35,7 @@
>> #include <xen/watchdog.h>
>>
>> #include <asm/apic.h>
>> +#include <asm/bootinfo.h>
>> #include <asm/cpu-policy.h>
>> #include <asm/nmi.h>
>> #include <asm/processor.h>
>> @@ -152,11 +153,8 @@ static int __init cf_check parse_ucode(const char *s)
>> }
>> custom_param("ucode", parse_ucode);
>>
>> -static void __init microcode_scan_module(
>> - unsigned long *module_map,
>> - const multiboot_info_t *mbi)
>> +static void __init microcode_scan_module(struct boot_info *bi)
> Sorry to be pedantic, can't you keep bi as const?
Not really, no.
Yes technically in this patch, but no by the end of the hyperlaunch series.
I'm uninterested in taking extra churn just to have a pointer be const
for a few more patches.
[For the list, I conferred with Roger IRL and he was happy.]
~Andrew
next prev parent reply other threads:[~2024-10-23 17:12 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-23 10:57 [PATCH 0/3] x86/boot: Yet more PVH module handling fixes Andrew Cooper
2024-10-23 10:57 ` [PATCH 1/3] x86/boot: Add a temporary module_map pointer to boot_image Andrew Cooper
2024-10-23 11:14 ` Daniel P. Smith
2024-10-23 10:57 ` [PATCH 2/3] x86/boot: Fix microcode module handling during PVH boot Andrew Cooper
2024-10-23 12:17 ` Daniel P. Smith
2024-10-23 17:01 ` Roger Pau Monné
2024-10-23 17:12 ` Andrew Cooper [this message]
2024-10-23 10:57 ` [PATCH 3/3] x86/boot: Fix XSM " Andrew Cooper
2024-10-23 12:17 ` Daniel P. Smith
2024-10-23 17:04 ` Roger Pau Monné
2024-10-23 14:44 ` [PATCH 4/3] x86/boot: Remove the mbi_p parameter from __start_xen() Andrew Cooper
2024-10-23 14:58 ` Daniel P. Smith
2024-10-23 15:37 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55b7ebb4-9d10-45ca-b357-fd91ef169ff0@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=dpsmith@apertussolutions.com \
--cc=roger.pau@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.