From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34144) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bCpuZ-000433-6T for qemu-devel@nongnu.org; Tue, 14 Jun 2016 11:05:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bCpuU-0006E7-5O for qemu-devel@nongnu.org; Tue, 14 Jun 2016 11:05:51 -0400 Received: from mail.kernel.org ([198.145.29.136]:54198) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bCpuT-0006DJ-Ga for qemu-devel@nongnu.org; Tue, 14 Jun 2016 11:05:45 -0400 From: Stefano Stabellini Date: Tue, 14 Jun 2016 16:05:37 +0100 Message-Id: <1465916738-15687-1-git-send-email-sstabellini@kernel.org> In-Reply-To: References: Subject: [Qemu-devel] [PULL 1/2] xen/blkif: avoid double access to any shared ring request fields List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: peter.maydell@linaro.org Cc: xen-devel@lists.xen.org, sstabellini@kernel.org, qemu-devel@nongnu.org, anthony.perard@citrix.com, Jan Beulich , Jan Beulich From: Jan Beulich Commit f9e98e5d7a ("xen/blkif: Avoid double access to src->nr_segments") didn't go far enough: src->operation is also being used twice. And nothing was done to prevent the compiler from using the source side of the copy done by blk_get_request() (granted that's very unlikely). Move the barrier()s up, and add another one to blk_get_request(). Note that for completing XSA-155, the barrier() getting added to blk_get_request() would suffice, and hence the changes to xen_blkif.h are more like just cleanup. And since, as said, the unpatched code getting compiled to something vulnerable is very unlikely (and not observed in practice), this isn't being viewed as a new security issue. Signed-off-by: Jan Beulich Reviewed-by: Stefano Stabellini Signed-off-by: Stefano Stabellini --- hw/block/xen_blkif.h | 12 ++++++------ hw/block/xen_disk.c | 2 ++ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h index c68487cb..e3b133b 100644 --- a/hw/block/xen_blkif.h +++ b/hw/block/xen_blkif.h @@ -79,14 +79,14 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (src->operation == BLKIF_OP_DISCARD) { + /* Prevent the compiler from using src->... instead. */ + barrier(); + if (dst->operation == BLKIF_OP_DISCARD) { struct blkif_request_discard *s = (void *)src; struct blkif_request_discard *d = (void *)dst; d->nr_sectors = s->nr_sectors; return; } - /* prevent the compiler from optimizing the code and using src->nr_segments instead */ - barrier(); if (n > dst->nr_segments) n = dst->nr_segments; for (i = 0; i < n; i++) @@ -102,14 +102,14 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque dst->handle = src->handle; dst->id = src->id; dst->sector_number = src->sector_number; - if (src->operation == BLKIF_OP_DISCARD) { + /* Prevent the compiler from using src->... instead. */ + barrier(); + if (dst->operation == BLKIF_OP_DISCARD) { struct blkif_request_discard *s = (void *)src; struct blkif_request_discard *d = (void *)dst; d->nr_sectors = s->nr_sectors; return; } - /* prevent the compiler from optimizing the code and using src->nr_segments instead */ - barrier(); if (n > dst->nr_segments) n = dst->nr_segments; for (i = 0; i < n; i++) diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c index 064c116..cf57814 100644 --- a/hw/block/xen_disk.c +++ b/hw/block/xen_disk.c @@ -679,6 +679,8 @@ static int blk_get_request(struct XenBlkDev *blkdev, struct ioreq *ioreq, RING_I RING_GET_REQUEST(&blkdev->rings.x86_64_part, rc)); break; } + /* Prevent the compiler from accessing the on-ring fields instead. */ + barrier(); return 0; } -- 1.9.1