From: "Jan Beulich" <JBeulich@novell.com>
To: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: xen-devel@lists.xensource.com
Subject: [PATCH] trace: further security fixes: add compiler memory barriers
Date: Mon, 05 Jul 2010 09:01:48 +0100 [thread overview]
Message-ID: <4C31AD8C02000078000097D0@vpn.id2.novell.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 3342 bytes --]
This is to ensure fields shared writably with Dom0 get read only once
for any consistency checking followed by actual calculations.
I realized there was another multiple-read issue, a fix for which is
also included (which at once simplifies __insert_record()).
Signed-off-by: Jan Beulich <jbeulich@novell.com>
--- a/xen/common/trace.c 2010-07-01 10:05:54.000000000 +0200
+++ b/xen/common/trace.c 2010-07-01 14:01:47.000000000 +0200
@@ -437,11 +437,13 @@ static inline bool_t bogus(u32 prod, u32
static inline u32 calc_unconsumed_bytes(const struct t_buf *buf)
{
u32 prod = buf->prod, cons = buf->cons;
- s32 x = prod - cons;
+ s32 x;
+ barrier(); /* must read buf->prod and buf->cons only once */
if ( bogus(prod, cons) )
return data_size;
+ x = prod - cons;
if ( x < 0 )
x += 2*data_size;
@@ -453,12 +455,14 @@ static inline u32 calc_unconsumed_bytes(
static inline u32 calc_bytes_to_wrap(const struct t_buf *buf)
{
- u32 prod = buf->prod;
- s32 x = data_size - prod;
+ u32 prod = buf->prod, cons = buf->cons;
+ s32 x;
- if ( bogus(prod, buf->cons) )
+ barrier(); /* must read buf->prod and buf->cons only once */
+ if ( bogus(prod, cons) )
return 0;
+ x = data_size - prod;
if ( x <= 0 )
x += data_size;
@@ -473,11 +477,14 @@ static inline u32 calc_bytes_avail(const
return data_size - calc_unconsumed_bytes(buf);
}
-static inline struct t_rec *next_record(const struct t_buf *buf)
+static inline struct t_rec *next_record(const struct t_buf *buf,
+ uint32_t *next)
{
- u32 x = buf->prod;
+ u32 x = buf->prod, cons = buf->cons;
- if ( !tb_init_done || bogus(x, buf->cons) )
+ barrier(); /* must read buf->prod and buf->cons only once */
+ *next = x;
+ if ( !tb_init_done || bogus(x, cons) )
return NULL;
if ( x >= data_size )
@@ -504,23 +511,21 @@ static inline void __insert_record(volat
BUG_ON(local_rec_size != rec_size);
BUG_ON(extra & 3);
+ rec = next_record(buf, &next);
+ if ( !rec )
+ return;
/* Double-check once more that we have enough space.
* Don't bugcheck here, in case the userland tool is doing
* something stupid. */
- next = calc_bytes_avail(buf);
- if ( next < rec_size )
+ if ( (unsigned char *)rec + rec_size > this_cpu(t_data) + data_size )
{
if ( printk_ratelimit() )
printk(XENLOG_WARNING
- "%s: avail=%u (size=%08x prod=%08x cons=%08x) rec=%u\n",
- __func__, next, data_size, buf->prod, buf->cons, rec_size);
+ "%s: size=%08x prod=%08x cons=%08x rec=%u\n",
+ __func__, data_size, next, buf->cons, rec_size);
return;
}
- rmb();
- rec = next_record(buf);
- if ( !rec )
- return;
rec->event = event;
rec->extra_u32 = extra_word;
dst = (unsigned char *)rec->u.nocycles.extra_u32;
@@ -537,9 +542,6 @@ static inline void __insert_record(volat
wmb();
- next = buf->prod;
- if ( bogus(next, buf->cons) )
- return;
next += rec_size;
if ( next >= 2*data_size )
next -= 2*data_size;
[-- Attachment #2: trace-barriers.patch --]
[-- Type: text/plain, Size: 3067 bytes --]
Signed-off-by: Jan Beulich <jbeulich@novell.com>
--- a/xen/common/trace.c 2010-07-01 10:05:54.000000000 +0200
+++ b/xen/common/trace.c 2010-07-01 14:01:47.000000000 +0200
@@ -437,11 +437,13 @@ static inline bool_t bogus(u32 prod, u32
static inline u32 calc_unconsumed_bytes(const struct t_buf *buf)
{
u32 prod = buf->prod, cons = buf->cons;
- s32 x = prod - cons;
+ s32 x;
+ barrier(); /* must read buf->prod and buf->cons only once */
if ( bogus(prod, cons) )
return data_size;
+ x = prod - cons;
if ( x < 0 )
x += 2*data_size;
@@ -453,12 +455,14 @@ static inline u32 calc_unconsumed_bytes(
static inline u32 calc_bytes_to_wrap(const struct t_buf *buf)
{
- u32 prod = buf->prod;
- s32 x = data_size - prod;
+ u32 prod = buf->prod, cons = buf->cons;
+ s32 x;
- if ( bogus(prod, buf->cons) )
+ barrier(); /* must read buf->prod and buf->cons only once */
+ if ( bogus(prod, cons) )
return 0;
+ x = data_size - prod;
if ( x <= 0 )
x += data_size;
@@ -473,11 +477,14 @@ static inline u32 calc_bytes_avail(const
return data_size - calc_unconsumed_bytes(buf);
}
-static inline struct t_rec *next_record(const struct t_buf *buf)
+static inline struct t_rec *next_record(const struct t_buf *buf,
+ uint32_t *next)
{
- u32 x = buf->prod;
+ u32 x = buf->prod, cons = buf->cons;
- if ( !tb_init_done || bogus(x, buf->cons) )
+ barrier(); /* must read buf->prod and buf->cons only once */
+ *next = x;
+ if ( !tb_init_done || bogus(x, cons) )
return NULL;
if ( x >= data_size )
@@ -504,23 +511,21 @@ static inline void __insert_record(volat
BUG_ON(local_rec_size != rec_size);
BUG_ON(extra & 3);
+ rec = next_record(buf, &next);
+ if ( !rec )
+ return;
/* Double-check once more that we have enough space.
* Don't bugcheck here, in case the userland tool is doing
* something stupid. */
- next = calc_bytes_avail(buf);
- if ( next < rec_size )
+ if ( (unsigned char *)rec + rec_size > this_cpu(t_data) + data_size )
{
if ( printk_ratelimit() )
printk(XENLOG_WARNING
- "%s: avail=%u (size=%08x prod=%08x cons=%08x) rec=%u\n",
- __func__, next, data_size, buf->prod, buf->cons, rec_size);
+ "%s: size=%08x prod=%08x cons=%08x rec=%u\n",
+ __func__, data_size, next, buf->cons, rec_size);
return;
}
- rmb();
- rec = next_record(buf);
- if ( !rec )
- return;
rec->event = event;
rec->extra_u32 = extra_word;
dst = (unsigned char *)rec->u.nocycles.extra_u32;
@@ -537,9 +542,6 @@ static inline void __insert_record(volat
wmb();
- next = buf->prod;
- if ( bogus(next, buf->cons) )
- return;
next += rec_size;
if ( next >= 2*data_size )
next -= 2*data_size;
[-- Attachment #3: Type: text/plain, Size: 138 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
next reply other threads:[~2010-07-05 8:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-05 8:01 Jan Beulich [this message]
2010-07-05 8:06 ` [PATCH] trace: further security fixes: add compiler memory barriers Keir Fraser
2010-07-05 8:57 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C31AD8C02000078000097D0@vpn.id2.novell.com \
--to=jbeulich@novell.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).