From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>,
xen-devel <xen-devel@lists.xenproject.org>
Cc: Julien Grall <julien.grall@arm.com>
Subject: Re: [PATCH v2] x86: correct create_bounce_frame
Date: Fri, 5 May 2017 09:41:53 +0100 [thread overview]
Message-ID: <1d0c09c9-41f3-a512-3f1c-bc704fbabd31@citrix.com> (raw)
In-Reply-To: <590B4A4C0200007800156D49@prv-mh.provo.novell.com>
On 04/05/17 14:35, Jan Beulich wrote:
> Commit d9b7ef209a7 ("x86: drop failsafe callback invocation from
> assembly") didn't go quite far enough with the cleanup it did: The
> changed maximum frame size should also have been reflected in the early
> address range check (which has now been pointed out to have been wrong
> anyway, using 60 instead of 0x60), and it should have updated the
> comment ahead of the function.
>
> Also adjust the lower bound - all is fine (for our purposes) if the
> initial guest kernel stack pointer points right at the hypervisor base
> address, as only memory _below_ that address is going to be written.
>
> Additionally limit the number of times %rsi is being adjusted to what
> is really needed.
>
> Finally move exception fixup code into the designated .fixup section.
>
> Reported-by: Jann Horn <jannh@google.com>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
Thankyou. This code is now much easier to review. On that note,
> ---
> This corrects the code which did result in XSA-215 on Xen 4.6 and
> older. For that reason I at least want to explore whether this is a
> change we want to take for 4.9.
> ---
> v2: Change domain_crash_page_fault_* tags and add comment ahead of the
> labels. Convert 8(%rsi) to 1*8(%rsi) and (%rsi) to 0*8(%rsi).
>
> --- a/xen/arch/x86/x86_64/entry.S
> +++ b/xen/arch/x86/x86_64/entry.S
> @@ -258,7 +258,7 @@ int80_slow_path:
> jmp handle_exception_saved
>
> /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS STACK: */
> -/* { RCX, R11, [DS-GS,] [CR2,] [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */
> +/* { RCX, R11, [ERRCODE,] RIP, CS, RFLAGS, RSP, SS } */
> /* %rdx: trap_bounce, %rbx: struct vcpu */
> /* On return only %rbx and %rdx are guaranteed non-clobbered. */
> create_bounce_frame:
> @@ -276,9 +276,9 @@ create_bounce_frame:
> movq UREGS_rsp+8(%rsp),%rsi
> andb $0xfc,UREGS_cs+8(%rsp) # Indicate kernel context to guest.
> 2: andq $~0xf,%rsi # Stack frames are 16-byte aligned.
> - movq $HYPERVISOR_VIRT_START,%rax
> + movq $HYPERVISOR_VIRT_START+1,%rax
> cmpq %rax,%rsi
> - movq $HYPERVISOR_VIRT_END+60,%rax
> + movq $HYPERVISOR_VIRT_END+8*8,%rax
> sbb %ecx,%ecx # In +ve address space? Then okay.
> cmpq %rax,%rsi
> adc %ecx,%ecx # Above Xen private area? Then okay.
> @@ -286,13 +286,13 @@ UNLIKELY_START(g, create_bounce_frame_ba
> lea UNLIKELY_DISPATCH_LABEL(create_bounce_frame_bad_sp)(%rip), %rdi
> jmp asm_domain_crash_synchronous /* Does not return */
> __UNLIKELY_END(create_bounce_frame_bad_sp)
> - subq $40,%rsi
> + subq $7*8,%rsi
> movq UREGS_ss+8(%rsp),%rax
> ASM_STAC
> movq VCPU_domain(%rbx),%rdi
> -.Lft2: movq %rax,32(%rsi) # SS
> +.Lft2: movq %rax,6*8(%rsi) # SS
> movq UREGS_rsp+8(%rsp),%rax
> -.Lft3: movq %rax,24(%rsi) # RSP
> +.Lft3: movq %rax,5*8(%rsi) # RSP
> movq VCPU_vcpu_info(%rbx),%rax
> pushq VCPUINFO_upcall_mask(%rax)
> testb $TBF_INTERRUPT,TRAPBOUNCE_flags(%rdx)
> @@ -301,7 +301,7 @@ __UNLIKELY_END(create_bounce_frame_bad_s
> popq %rax
> shlq $32,%rax # Bits 32-39: saved_upcall_mask
> movw UREGS_cs+8(%rsp),%ax # Bits 0-15: CS
> -.Lft4: movq %rax,8(%rsi) # CS / saved_upcall_mask
> +.Lft4: movq %rax,3*8(%rsi) # CS / saved_upcall_mask
> shrq $32,%rax
> testb $0xFF,%al # Bits 0-7: saved_upcall_mask
> setz %ch # %ch == !saved_upcall_mask
> @@ -313,20 +313,19 @@ __UNLIKELY_END(create_bounce_frame_bad_s
> testb $1 << VMASST_TYPE_architectural_iopl,DOMAIN_vm_assist(%rdi)
> cmovnzl VCPU_iopl(%rbx),%ecx # Bits 13:12 (EFLAGS.IOPL)
> orl %ecx,%eax # Fold EFLAGS.IOPL into %eax
> -.Lft5: movq %rax,16(%rsi) # RFLAGS
> +.Lft5: movq %rax,4*8(%rsi) # RFLAGS
> movq UREGS_rip+8(%rsp),%rax
> -.Lft6: movq %rax,(%rsi) # RIP
> +.Lft6: movq %rax,2*8(%rsi) # RIP
> testb $TBF_EXCEPTION_ERRCODE,TRAPBOUNCE_flags(%rdx)
> jz 1f
> subq $8,%rsi
> movl TRAPBOUNCE_error_code(%rdx),%eax
> -.Lft7: movq %rax,(%rsi) # ERROR CODE
> +.Lft7: movq %rax,2*8(%rsi) # ERROR CODE
> 1:
> - subq $16,%rsi
> movq UREGS_r11+8(%rsp),%rax
> -.Lft12: movq %rax,8(%rsi) # R11
> +.Lft12: movq %rax,1*8(%rsi) # R11
> movq UREGS_rcx+8(%rsp),%rax
> -.Lft13: movq %rax,(%rsi) # RCX
> +.Lft13: movq %rax,0*8(%rsi) # RCX
> ASM_CLAC
> /* Rewrite our stack frame and return to guest-OS mode. */
> /* IA32 Ref. Vol. 3: TF, VM, RF and NT flags are cleared on trap. */
> @@ -345,24 +344,30 @@ UNLIKELY_START(z, create_bounce_frame_ba
> __UNLIKELY_END(create_bounce_frame_bad_bounce_ip)
> movq %rax,UREGS_rip+8(%rsp)
> ret
> - _ASM_EXTABLE(.Lft2, domain_crash_page_fault_32)
> - _ASM_EXTABLE(.Lft3, domain_crash_page_fault_24)
> - _ASM_EXTABLE(.Lft4, domain_crash_page_fault_8)
> - _ASM_EXTABLE(.Lft5, domain_crash_page_fault_16)
> - _ASM_EXTABLE(.Lft6, domain_crash_page_fault)
> - _ASM_EXTABLE(.Lft7, domain_crash_page_fault)
> - _ASM_EXTABLE(.Lft12, domain_crash_page_fault_8)
> - _ASM_EXTABLE(.Lft13, domain_crash_page_fault)
> + _ASM_EXTABLE(.Lft2, domain_crash_page_fault_6x8)
> + _ASM_EXTABLE(.Lft3, domain_crash_page_fault_5x8)
> + _ASM_EXTABLE(.Lft4, domain_crash_page_fault_4x8)
> + _ASM_EXTABLE(.Lft5, domain_crash_page_fault_3x8)
Do you perhaps mean to swap the labels for 4 and 5?
~Andrew
> + _ASM_EXTABLE(.Lft6, domain_crash_page_fault_2x8)
> + _ASM_EXTABLE(.Lft7, domain_crash_page_fault_2x8)
> + _ASM_EXTABLE(.Lft12, domain_crash_page_fault_1x8)
> + _ASM_EXTABLE(.Lft13, domain_crash_page_fault_0x8)
>
> -domain_crash_page_fault_32:
> + .pushsection .fixup, "ax", @progbits
> + # Numeric tags below represent the intended overall %rsi adjustment.
> +domain_crash_page_fault_6x8:
> addq $8,%rsi
> -domain_crash_page_fault_24:
> +domain_crash_page_fault_5x8:
> addq $8,%rsi
> -domain_crash_page_fault_16:
> +domain_crash_page_fault_4x8:
> addq $8,%rsi
> -domain_crash_page_fault_8:
> +domain_crash_page_fault_3x8:
> addq $8,%rsi
> -domain_crash_page_fault:
> +domain_crash_page_fault_2x8:
> + addq $8,%rsi
> +domain_crash_page_fault_1x8:
> + addq $8,%rsi
> +domain_crash_page_fault_0x8:
> ASM_CLAC
> movq %rsi,%rdi
> call show_page_walk
> @@ -380,6 +385,7 @@ ENTRY(dom_crash_sync_extable)
> orb %al,UREGS_cs(%rsp)
> xorl %edi,%edi
> jmp asm_domain_crash_synchronous /* Does not return */
> + .popsection
>
> ENTRY(common_interrupt)
> SAVE_ALL CLAC
>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-05-05 8:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-04 13:35 [PATCH v2] x86: correct create_bounce_frame Jan Beulich
2017-05-05 8:41 ` Andrew Cooper [this message]
2017-05-05 9:38 ` Jan Beulich
2017-05-05 10:18 ` Andrew Cooper
2017-05-05 10:24 ` Jan Beulich
2017-05-05 10:29 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1d0c09c9-41f3-a512-3f1c-bc704fbabd31@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=julien.grall@arm.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).