From: Julien Grall <julien.grall@arm.com>
To: Andre Przywara <andre.przywara@arm.com>,
Stefano Stabellini <sstabellini@kernel.org>
Cc: xen-devel@lists.xenproject.org,
Vijaya Kumar K <Vijaya.Kumar@caviumnetworks.com>,
Vijay Kilari <vijay.kilari@gmail.com>,
Shanker Donthineni <shankerd@codeaurora.org>
Subject: Re: [PATCH v9 19/28] ARM: vITS: handle MAPD command
Date: Wed, 24 May 2017 10:56:18 +0100 [thread overview]
Message-ID: <e67eafff-5748-8e75-683d-6e4085e4ce9d@arm.com> (raw)
In-Reply-To: <16e3a145-795d-03e9-8733-96bdd55d8679@arm.com>
Hi Andre,
On 05/24/2017 10:10 AM, Andre Przywara wrote:
> On 17/05/17 19:07, Julien Grall wrote:
>>> /*
>>> * Lookup the address of the Interrupt Translation Table associated with
>>> * that device ID.
>>> @@ -414,6 +429,133 @@ out_unlock:
>>> return ret;
>>> }
>>>
>>> +/* Must be called with the ITS lock held. */
>>> +static int its_discard_event(struct virt_its *its,
>>> + uint32_t vdevid, uint32_t vevid)
>>> +{
>>> + struct pending_irq *p;
>>> + unsigned long flags;
>>> + struct vcpu *vcpu;
>>> + uint32_t vlpi;
>>> +
>>> + ASSERT(spin_is_locked(&its->its_lock));
>>> +
>>> + if ( !read_itte_locked(its, vdevid, vevid, &vcpu, &vlpi) )
>>> + return -ENOENT;
>>> +
>>> + if ( vlpi == INVALID_LPI )
>>> + return -ENOENT;
>>> +
>>> + /* Lock this VCPU's VGIC to make sure nobody is using the
>>> pending_irq. */
>>> + spin_lock_irqsave(&vcpu->arch.vgic.lock, flags);
>>
>> There is an interesting issue happening with this code. You don't check
>> the content of the memory provided by the guest. So a malicious guest
>> could craft the memory in order to setup mapping with known vlpi and a
>> different vCPU.
>>
>> This would lead to use the wrong lock here and corrupt the list.
>
> What about this:
> Right now (mostly due to the requirements of the INVALL implementation)
> we store the VCPU ID in our struct pending_irq, populated upon MAPTI. So
> originally this was just for caching (INVALL being the only user of
> this), but I was wondering if we should move the actual instance of this
> information to pending_irq instead of relying on the collection ID from
> the ITS table. So we would never need to look up and trust the ITS
> tables for this information anymore. Later with the VGIC rework we will
> need this field anyway (even for SPIs).
>
> I think this should solve this threat, where a guest can manipulate Xen
> by crafting the tables. Tinkering with the other information stored in
> the tables should not harm Xen, the guest would just shoot itself into
> the foot.
>
> Does that make sense?
I think so. If I understand correctly, with that solution we would not
need to protect the memory provided by the guest?
Cheers.
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-05-24 9:56 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-11 17:53 [PATCH v9 00/28] arm64: Dom0 ITS emulation Andre Przywara
2017-05-11 17:53 ` [PATCH v9 01/28] ARM: GICv3: setup number of LPI bits for a GICv3 guest Andre Przywara
2017-05-11 18:34 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 02/28] ARM: VGIC: move irq_to_pending() calls under the VGIC VCPU lock Andre Przywara
2017-05-20 0:34 ` Stefano Stabellini
2017-05-11 17:53 ` [PATCH v9 03/28] ARM: GIC: Add checks for NULL pointer pending_irq's Andre Przywara
2017-05-12 14:19 ` Julien Grall
2017-05-22 16:49 ` Andre Przywara
2017-05-22 17:15 ` Julien Grall
2017-05-25 16:14 ` Andre Przywara
2017-05-20 1:25 ` Stefano Stabellini
2017-05-11 17:53 ` [PATCH v9 04/28] ARM: GICv3: introduce separate pending_irq structs for LPIs Andre Przywara
2017-05-12 14:22 ` Julien Grall
2017-05-22 21:52 ` Stefano Stabellini
2017-05-11 17:53 ` [PATCH v9 05/28] ARM: GICv3: forward pending LPIs to guests Andre Przywara
2017-05-12 14:55 ` Julien Grall
2017-05-22 22:03 ` Stefano Stabellini
2017-05-25 16:42 ` Andre Przywara
2017-05-11 17:53 ` [PATCH v9 06/28] ARM: GICv3: enable ITS and LPIs on the host Andre Przywara
2017-05-11 17:53 ` [PATCH v9 07/28] ARM: vGICv3: handle virtual LPI pending and property tables Andre Przywara
2017-05-12 15:23 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 08/28] ARM: introduce vgic_access_guest_memory() Andre Przywara
2017-05-12 15:30 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 09/28] ARM: vGICv3: re-use vgic_reg64_check_access Andre Przywara
2017-05-11 17:53 ` [PATCH v9 10/28] ARM: GIC: export and extend vgic_init_pending_irq() Andre Przywara
2017-05-16 12:26 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 11/28] ARM: VGIC: add vcpu_id to struct pending_irq Andre Przywara
2017-05-16 12:31 ` Julien Grall
2017-05-22 22:15 ` Stefano Stabellini
2017-05-23 9:49 ` Andre Przywara
2017-05-11 17:53 ` [PATCH v9 12/28] ARM: vGIC: advertise LPI support Andre Przywara
2017-05-16 13:03 ` Julien Grall
2017-05-22 22:19 ` Stefano Stabellini
2017-05-23 10:49 ` Julien Grall
2017-05-23 17:47 ` Stefano Stabellini
2017-05-24 10:10 ` Julien Grall
2017-05-25 18:02 ` Andre Przywara
2017-05-25 18:49 ` Stefano Stabellini
2017-05-25 20:07 ` Julien Grall
2017-05-25 21:05 ` Stefano Stabellini
2017-05-26 10:19 ` Julien Grall
2017-05-26 17:12 ` Andre Przywara
2017-05-23 17:23 ` Andre Przywara
2017-05-11 17:53 ` [PATCH v9 13/28] ARM: vITS: add command handling stub and MMIO emulation Andre Przywara
2017-05-16 15:24 ` Julien Grall
2017-05-17 16:16 ` Julien Grall
2017-05-22 22:32 ` Stefano Stabellini
2017-05-23 10:54 ` Julien Grall
2017-05-23 17:43 ` Stefano Stabellini
2017-05-11 17:53 ` [PATCH v9 14/28] ARM: vITS: introduce translation table walks Andre Przywara
2017-05-16 15:57 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 15/28] ARM: vITS: provide access to struct pending_irq Andre Przywara
2017-05-17 15:35 ` Julien Grall
2017-05-22 16:50 ` Andre Przywara
2017-05-22 17:19 ` Julien Grall
2017-05-26 9:10 ` Andre Przywara
2017-05-26 10:00 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 16/28] ARM: vITS: handle INT command Andre Przywara
2017-05-17 16:17 ` Julien Grall
2017-05-23 17:24 ` Andre Przywara
2017-05-11 17:53 ` [PATCH v9 17/28] ARM: vITS: handle MAPC command Andre Przywara
2017-05-17 17:22 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 18/28] ARM: vITS: handle CLEAR command Andre Przywara
2017-05-17 17:45 ` Julien Grall
2017-05-23 17:24 ` Andre Przywara
2017-05-24 9:04 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 19/28] ARM: vITS: handle MAPD command Andre Przywara
2017-05-17 18:07 ` Julien Grall
2017-05-24 9:10 ` Andre Przywara
2017-05-24 9:56 ` Julien Grall [this message]
2017-05-24 13:09 ` Andre Przywara
2017-05-25 18:55 ` Stefano Stabellini
2017-05-25 20:17 ` Julien Grall
2017-05-25 20:44 ` Stefano Stabellini
2017-05-26 8:16 ` Andre Przywara
2017-05-11 17:53 ` [PATCH v9 20/28] ARM: GICv3: handle unmapped LPIs Andre Przywara
2017-05-17 18:37 ` Julien Grall
2017-05-20 1:25 ` Stefano Stabellini
2017-05-22 23:48 ` Stefano Stabellini
2017-05-23 11:10 ` Julien Grall
2017-05-23 18:23 ` Stefano Stabellini
2017-05-24 9:47 ` Julien Grall
2017-05-24 17:49 ` Stefano Stabellini
2017-05-23 14:41 ` Andre Przywara
2017-05-11 17:53 ` [PATCH v9 21/28] ARM: vITS: handle MAPTI command Andre Przywara
2017-05-18 14:04 ` Julien Grall
2017-05-22 23:39 ` Stefano Stabellini
2017-05-23 10:01 ` Andre Przywara
2017-05-23 17:44 ` Stefano Stabellini
2017-05-11 17:53 ` [PATCH v9 22/28] ARM: vITS: handle MOVI command Andre Przywara
2017-05-18 14:17 ` Julien Grall
2017-05-23 0:28 ` Stefano Stabellini
2017-05-11 17:53 ` [PATCH v9 23/28] ARM: vITS: handle DISCARD command Andre Przywara
2017-05-18 14:23 ` Julien Grall
2017-05-22 16:50 ` Andre Przywara
2017-05-22 17:20 ` Julien Grall
2017-05-23 9:40 ` Andre Przywara
2017-05-11 17:53 ` [PATCH v9 24/28] ARM: vITS: handle INV command Andre Przywara
2017-05-23 0:01 ` Stefano Stabellini
2017-05-11 17:53 ` [PATCH v9 25/28] ARM: vITS: handle INVALL command Andre Przywara
2017-06-02 17:24 ` Julien Grall
2017-06-02 17:25 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 26/28] ARM: vITS: increase mmio_count for each ITS Andre Przywara
2017-05-18 14:34 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 27/28] ARM: vITS: create and initialize virtual ITSes for Dom0 Andre Przywara
2017-05-18 14:41 ` Julien Grall
2017-05-11 17:53 ` [PATCH v9 28/28] ARM: vITS: create ITS subnodes for Dom0 DT Andre Przywara
2017-05-11 18:31 ` [PATCH v9 00/28] arm64: Dom0 ITS emulation Julien Grall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e67eafff-5748-8e75-683d-6e4085e4ce9d@arm.com \
--to=julien.grall@arm.com \
--cc=Vijaya.Kumar@caviumnetworks.com \
--cc=andre.przywara@arm.com \
--cc=shankerd@codeaurora.org \
--cc=sstabellini@kernel.org \
--cc=vijay.kilari@gmail.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).