Re: [PATCH] trace: further security fixes: add compiler memory barriers

xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed

From: Keir Fraser <keir.fraser@eu.citrix.com>
To: Jan Beulich <JBeulich@novell.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>
Subject: Re: [PATCH] trace: further security fixes: add compiler memory barriers
Date: Mon, 5 Jul 2010 09:06:52 +0100	[thread overview]
Message-ID: <C857512C.19661%keir.fraser@eu.citrix.com> (raw)
In-Reply-To: <4C31AD8C02000078000097D0@vpn.id2.novell.com>

I think I already applied this patch.

 K.

On 05/07/2010 09:01, "Jan Beulich" <JBeulich@novell.com> wrote:

> This is to ensure fields shared writably with Dom0 get read only once
> for any consistency checking followed by actual calculations.
> 
> I realized there was another multiple-read issue, a fix for which is
> also included (which at once simplifies __insert_record()).
> 
> Signed-off-by: Jan Beulich <jbeulich@novell.com>
> 
> --- a/xen/common/trace.c 2010-07-01 10:05:54.000000000 +0200
> +++ b/xen/common/trace.c 2010-07-01 14:01:47.000000000 +0200
> @@ -437,11 +437,13 @@ static inline bool_t bogus(u32 prod, u32
>  static inline u32 calc_unconsumed_bytes(const struct t_buf *buf)
>  {
>      u32 prod = buf->prod, cons = buf->cons;
> -    s32 x = prod - cons;
> +    s32 x;
>  
> +    barrier(); /* must read buf->prod and buf->cons only once */
>      if ( bogus(prod, cons) )
>          return data_size;
>  
> +    x = prod - cons;
>      if ( x < 0 )
>          x += 2*data_size;
>  
> @@ -453,12 +455,14 @@ static inline u32 calc_unconsumed_bytes(
>  
>  static inline u32 calc_bytes_to_wrap(const struct t_buf *buf)
>  {
> -    u32 prod = buf->prod;
> -    s32 x = data_size - prod;
> +    u32 prod = buf->prod, cons = buf->cons;
> +    s32 x;
>  
> -    if ( bogus(prod, buf->cons) )
> +    barrier(); /* must read buf->prod and buf->cons only once */
> +    if ( bogus(prod, cons) )
>          return 0;
>  
> +    x = data_size - prod;
>      if ( x <= 0 )
>          x += data_size;
>  
> @@ -473,11 +477,14 @@ static inline u32 calc_bytes_avail(const
>      return data_size - calc_unconsumed_bytes(buf);
>  }
>  
> -static inline struct t_rec *next_record(const struct t_buf *buf)
> +static inline struct t_rec *next_record(const struct t_buf *buf,
> +                                        uint32_t *next)
>  {
> -    u32 x = buf->prod;
> +    u32 x = buf->prod, cons = buf->cons;
>  
> -    if ( !tb_init_done || bogus(x, buf->cons) )
> +    barrier(); /* must read buf->prod and buf->cons only once */
> +    *next = x;
> +    if ( !tb_init_done || bogus(x, cons) )
>          return NULL;
>  
>      if ( x >= data_size )
> @@ -504,23 +511,21 @@ static inline void __insert_record(volat
>      BUG_ON(local_rec_size != rec_size);
>      BUG_ON(extra & 3);
>  
> +    rec = next_record(buf, &next);
> +    if ( !rec )
> +        return;
>      /* Double-check once more that we have enough space.
>       * Don't bugcheck here, in case the userland tool is doing
>       * something stupid. */
> -    next = calc_bytes_avail(buf);
> -    if ( next < rec_size )
> +    if ( (unsigned char *)rec + rec_size > this_cpu(t_data) + data_size )
>      {
>          if ( printk_ratelimit() )
>              printk(XENLOG_WARNING
> -                   "%s: avail=%u (size=%08x prod=%08x cons=%08x) rec=%u\n",
> -                   __func__, next, data_size, buf->prod, buf->cons,
> rec_size);
> +                   "%s: size=%08x prod=%08x cons=%08x rec=%u\n",
> +                   __func__, data_size, next, buf->cons, rec_size);
>          return;
>      }
> -    rmb();
>  
> -    rec = next_record(buf);
> -    if ( !rec )
> -        return;
>      rec->event = event;
>      rec->extra_u32 = extra_word;
>      dst = (unsigned char *)rec->u.nocycles.extra_u32;
> @@ -537,9 +542,6 @@ static inline void __insert_record(volat
>  
>      wmb();
>  
> -    next = buf->prod;
> -    if ( bogus(next, buf->cons) )
> -        return;
>      next += rec_size;
>      if ( next >= 2*data_size )
>          next -= 2*data_size;
> 
> 
>

next prev parent reply	other threads:[~2010-07-05  8:06 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-05  8:01 [PATCH] trace: further security fixes: add compiler memory barriers Jan Beulich
2010-07-05  8:06 ` Keir Fraser [this message]
2010-07-05  8:57   ` Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=C857512C.19661%keir.fraser@eu.citrix.com \
    --to=keir.fraser@eu.citrix.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=JBeulich@novell.com \
    --cc=xen-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).