From: David Woodhouse <dwmw2@infradead.org>
To: Jan Beulich <JBeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
"H. Peter Anvin" <h.peter.anvin@intel.com>,
xen-devel@lists.xen.org
Subject: Re: Xen Security Advisory 154 (CVE-2016-2270) - x86: inconsistent cachability flags on guest mappings
Date: Wed, 25 Jan 2017 16:08:54 +0000 [thread overview]
Message-ID: <1485360534.4727.127.camel@infradead.org> (raw)
In-Reply-To: <5888C2810200007800133CDC@prv-mh.provo.novell.com>
[-- Attachment #1.1: Type: text/plain, Size: 3094 bytes --]
On Wed, 2017-01-25 at 07:21 -0700, Jan Beulich wrote:
>
> If there wasn't INVALID_MFN to be taken care of, the !mfn_valid()
> check could simply move down, and be combined with the
> direct_mmio one.
As discussed on IRC, once we fix the overflow with order > 0, I think
INVALID_MFN is OK. Not that it should ever really happen, AFAICT.
This seems to do the right thing for my MMIO WC test. I haven't
actually combined the !mfn_valid() check with the direct_mmio one.
Under what circumstances does that make sense anyway? For now in the
patch below I've left it *forcing* UC, unlike the direct_mmio path
which lets the guest use WC. But really, shouldn't the '!direct_mmio &&
!mfn_valid()' case just return an error?
Note that as well as using a mask for 'order' I've attempted to
consolidate the unlikely rangeset_overlaps_range() and
rangeset_contains_range() calls, on the assumption that the former will
*always* be true if the latter is, so we only need one of them in the
fast path through the function.
diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c
index 709759c..09c2f5c 100644
--- a/xen/arch/x86/hvm/mtrr.c
+++ b/xen/arch/x86/hvm/mtrr.c
@@ -773,20 +773,24 @@ int epte_get_entry_emt(struct domain *d, unsigned long gfn, mfn_t mfn,
if ( v->domain != d )
v = d->vcpu ? d->vcpu[0] : NULL;
- if ( !mfn_valid(mfn_x(mfn)) ||
- rangeset_contains_range(mmio_ro_ranges, mfn_x(mfn),
- mfn_x(mfn) + (1UL << order) - 1) )
+ /* INVALID_MFN should never happen here, but if it does then this
+ * should do the right thing instead of exploding */
+ if ( unlikely(rangeset_overlaps_range(mmio_ro_ranges, mfn_x(mfn),
+ mfn_x(mfn) | ((1UL << order) - 1))) )
{
- *ipat = 1;
- return MTRR_TYPE_UNCACHABLE;
+ if ( rangeset_contains_range(mmio_ro_ranges, mfn_x(mfn),
+ mfn_x(mfn) | ((1UL << order) - 1)) )
+ {
+ *ipat = 1;
+ return MTRR_TYPE_UNCACHABLE;
+ }
+ /* Overlaps mmio_ro_ranges but is not entirely contained. No. */
+ return -1;
}
- if ( rangeset_overlaps_range(mmio_ro_ranges, mfn_x(mfn),
- mfn_x(mfn) + (1UL << order) - 1) )
- return -1;
-
if ( direct_mmio )
{
+ /* Again, INVALID_MFN should do the right thing here. */
if ( (mfn_x(mfn) ^ d->arch.hvm_domain.vmx.apic_access_mfn) >> order )
return MTRR_TYPE_UNCACHABLE;
if ( order )
@@ -795,6 +799,12 @@ int epte_get_entry_emt(struct domain *d, unsigned long gfn, mfn_t mfn,
return MTRR_TYPE_WRBACK;
}
+ if ( unlikely(!mfn_valid(mfn_x(mfn))) )
+ {
+ *ipat = 1;
+ return MTRR_TYPE_UNCACHABLE;
+ }
+
if ( !need_iommu(d) && !cache_flush_permitted(d) )
{
*ipat = 1;
[-- Attachment #1.2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 4938 bytes --]
[-- Attachment #2: Type: text/plain, Size: 127 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-01-25 16:08 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-17 12:28 Xen Security Advisory 154 (CVE-2016-2270) - x86: inconsistent cachability flags on guest mappings Xen.org security team
2017-01-25 14:08 ` David Woodhouse
2017-01-25 14:21 ` Jan Beulich
2017-01-25 14:34 ` David Woodhouse
2017-01-25 16:08 ` David Woodhouse [this message]
2017-01-26 8:57 ` [PATCH] x86: Allow write-combining on MMIO mappings again David Woodhouse
2017-01-26 10:45 ` Jan Beulich
2017-01-26 10:55 ` David Woodhouse
2017-01-26 11:32 ` Jan Beulich
2017-01-26 12:39 ` [PATCH v2] x86/ept: Allow write-combining on !mfn_valid() " David Woodhouse
2017-01-26 14:35 ` Jan Beulich
2017-01-26 14:42 ` David Woodhouse
2017-01-26 14:50 ` [PATCH v3] " David Woodhouse
2017-01-26 15:48 ` Jan Beulich
2017-01-27 15:36 ` Konrad Rzeszutek Wilk
2017-02-06 11:33 ` David Woodhouse
2017-02-07 5:08 ` Tian, Kevin
2017-04-14 7:51 ` Tian, Kevin
2017-02-07 5:05 ` Tian, Kevin
2017-02-08 16:04 ` David Woodhouse
2017-02-01 20:23 ` Xen Security Advisory 154 (CVE-2016-2270) - x86: inconsistent cachability flags on guest mappings David Woodhouse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1485360534.4727.127.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=h.peter.anvin@intel.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).