From: "Roger Pau Monné" <roger.pau@citrix.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
xen-devel@lists.xenproject.org
Subject: Re: [PATCH v2 3/5] x86/xlat: fix UB pointer arithmetic in COMPAT_ARG_XLAT_VIRT_BASE
Date: Tue, 18 Mar 2025 18:50:37 +0100 [thread overview]
Message-ID: <Z9mybWM1a-9nvm-n@macbook.local> (raw)
In-Reply-To: <1e37eb58-21a0-49a1-b7fe-9c950b32e2e6@suse.com>
On Tue, Mar 18, 2025 at 06:01:46PM +0100, Jan Beulich wrote:
> On 18.03.2025 17:47, Roger Pau Monné wrote:
> > On Tue, Mar 18, 2025 at 04:50:58PM +0100, Jan Beulich wrote:
> >> On 18.03.2025 16:35, Roger Pau Monné wrote:
> >>> On Tue, Mar 18, 2025 at 03:33:03PM +0100, Jan Beulich wrote:
> >>>> On 18.03.2025 10:19, Roger Pau Monne wrote:
> >>>>> --- a/xen/arch/x86/include/asm/x86_64/uaccess.h
> >>>>> +++ b/xen/arch/x86/include/asm/x86_64/uaccess.h
> >>>>> @@ -9,9 +9,9 @@
> >>>>> * a secondary mapping installed, which needs to be used for such accesses in
> >>>>> * the PV case, and will also be used for HVM to avoid extra conditionals.
> >>>>> */
> >>>>> -#define COMPAT_ARG_XLAT_VIRT_BASE ((void *)ARG_XLAT_START(current) + \
> >>>>> - (PERDOMAIN_ALT_VIRT_START - \
> >>>>> - PERDOMAIN_VIRT_START))
> >>>>> +#define COMPAT_ARG_XLAT_VIRT_BASE ((void *)ARG_XLAT_START(current) - \
> >>>>> + (PERDOMAIN_VIRT_START - \
> >>>>> + PERDOMAIN_ALT_VIRT_START))
> >>>>
> >>>> Aren't we then (still) dependent on ordering between PERDOMAIN_VIRT_START
> >>>> and PERDOMAIN_ALT_VIRT_START? Would
> >>>>
> >>>> #define COMPAT_ARG_XLAT_VIRT_BASE ((void *)ARG_XLAT_START(current) - \
> >>>> PERDOMAIN_VIRT_START + \
> >>>> PERDOMAIN_ALT_VIRT_START)
> >>>>
> >>>> perhaps be less fragile?
> >>>
> >>> PERDOMAIN_{ALT_,}VIRT_START are unsigned long, so this might work.
> >>>
> >>> Note however that even with your suggestion we are still dependant on
> >>> ARG_XLAT_START(v) > PERDOMAIN_ALT_VIRT_START, or else the '-' won't
> >>> work. I think I prefer my proposed version, because it's clear that
> >>> PERDOMAIN_VIRT_START, ARG_XLAT_START(current) >
> >>> PERDOMAIN_ALT_VIRT_START.
> >>
> >> What makes that clear? Can't we move PERDOMAIN_ALT_VIRT_START pretty
> >> much at will?
> >
> > We would need to adjust the calculations here again, if
> > PERDOMAIN_ALT_VIRT_START > PERDOMAIN_VIRT_START the subtraction would
> > lead to an underflow, and would also be UB pointer arithmetic?
>
> With
>
> #define ARG_XLAT_VIRT_START PERDOMAIN_VIRT_SLOT(2)
>
> I can't see how subtracting PERDOMAIN_VIRT_START could lead to an underflow.
> The idea of the expression suggested is to first subtract the area base (no
> underflow) and then add the other area's base (no overflow).
Oh, right, I was reading it wrong sorry, somehow I was (still) seeing
a pair of braces around PERDOMAIN_VIRT_START +
PERDOMAIN_ALT_VIRT_START when there are none. Yes, I will adjust to
your suggestion.
Thanks, Roger.
next prev parent reply other threads:[~2025-03-18 17:51 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-18 9:18 [PATCH v2 0/5] x86/ubsan: fix ubsan on clang + code fixes Roger Pau Monne
2025-03-18 9:19 ` [PATCH v2 1/5] x86/wait: prevent duplicated assembly labels Roger Pau Monne
2025-03-18 12:49 ` Andrew Cooper
2025-03-18 9:19 ` [PATCH v2 2/5] x86/vga: fix mapping of the VGA text buffer Roger Pau Monne
2025-03-18 13:11 ` Andrew Cooper
2025-03-18 14:28 ` Jan Beulich
2025-03-18 15:31 ` Roger Pau Monné
2025-03-18 15:49 ` Jan Beulich
2025-03-18 9:19 ` [PATCH v2 3/5] x86/xlat: fix UB pointer arithmetic in COMPAT_ARG_XLAT_VIRT_BASE Roger Pau Monne
2025-03-18 12:51 ` Andrew Cooper
2025-03-18 14:33 ` Jan Beulich
2025-03-18 15:35 ` Roger Pau Monné
2025-03-18 15:50 ` Jan Beulich
2025-03-18 16:47 ` Roger Pau Monné
2025-03-18 17:01 ` Jan Beulich
2025-03-18 17:50 ` Roger Pau Monné [this message]
2025-03-18 9:19 ` [PATCH v2 4/5] x86/shadow: fix UB pointer arithmetic in sh_mfn_is_a_page_table() Roger Pau Monne
2025-03-18 12:53 ` Andrew Cooper
2025-03-18 14:36 ` Jan Beulich
2025-03-18 15:29 ` Roger Pau Monné
2025-03-18 15:27 ` Roger Pau Monné
2025-03-18 9:19 ` [PATCH v2 5/5] kconfig/randconfig: enable UBSAN for randconfig Roger Pau Monne
2025-03-18 12:57 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9mybWM1a-9nvm-n@macbook.local \
--to=roger.pau@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=jbeulich@suse.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.