From: Jan Beulich <jbeulich@suse.com>
To: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>
Cc: "Andrew Cooper" <andrew.cooper3@citrix.com>,
"Wei Liu" <wl@xen.org>, "Roger Pau Monné" <roger.pau@citrix.com>,
"Tim Deegan" <tim@xen.org>,
"George Dunlap" <george.dunlap@citrix.com>,
"Elena Ufimtseva" <elena.ufimtseva@oracle.com>
Subject: [PATCH 06/17] x86/gdbsx: convert "user" to "guest" accesses
Date: Thu, 14 Jan 2021 16:05:57 +0100 [thread overview]
Message-ID: <0ba3d730-8bc6-0907-8e60-ce3176afa491@suse.com> (raw)
In-Reply-To: <4f1975a9-bdd9-f556-9db5-eb6c428f258f@suse.com>
Using copy_{from,to}_user(), this code was assuming to be called only by
PV guests. Use copy_{from,to}_guest() instead, transforming the incoming
structure field into a guest handle (the field should really have been
one in the first place). Also do not transform the debuggee address into
a pointer.
As a not originally intended side effect this also fixes a bug in
dbg_rw_guest_mem(): At the end of the loop "addr" was incremented, but
then in the next loop iteration (with the variable also having gone out
of scope inbetween) re-initialized from the function parameter.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
--- a/xen/arch/x86/debug.c
+++ b/xen/arch/x86/debug.c
@@ -108,14 +108,14 @@ dbg_pv_va2mfn(dbgva_t vaddr, struct doma
}
/* Returns: number of bytes remaining to be copied */
-static unsigned int dbg_rw_guest_mem(struct domain *dp, void * __user gaddr,
- void * __user buf, unsigned int len,
- bool toaddr, uint64_t pgd3)
+static unsigned int dbg_rw_guest_mem(struct domain *dp, unsigned long addr,
+ XEN_GUEST_HANDLE_PARAM(void) buf,
+ unsigned int len, bool toaddr,
+ uint64_t pgd3)
{
while ( len > 0 )
{
char *va;
- unsigned long addr = (unsigned long)gaddr;
mfn_t mfn;
gfn_t gfn = INVALID_GFN;
unsigned long pagecnt;
@@ -133,20 +133,18 @@ static unsigned int dbg_rw_guest_mem(str
if ( toaddr )
{
- copy_from_user(va, buf, pagecnt); /* va = buf */
+ copy_from_guest(va, buf, pagecnt);
paging_mark_dirty(dp, mfn);
}
else
- {
- copy_to_user(buf, va, pagecnt); /* buf = va */
- }
+ copy_to_guest(buf, va, pagecnt);
unmap_domain_page(va);
if ( !gfn_eq(gfn, INVALID_GFN) )
put_gfn(dp, gfn_x(gfn));
addr += pagecnt;
- buf += pagecnt;
+ guest_handle_add_offset(buf, pagecnt);
len -= pagecnt;
}
@@ -160,7 +158,7 @@ static unsigned int dbg_rw_guest_mem(str
* pgd3: value of init_mm.pgd[3] in guest. see above.
* Returns: number of bytes remaining to be copied.
*/
-unsigned int dbg_rw_mem(void * __user addr, void * __user buf,
+unsigned int dbg_rw_mem(unsigned long gva, XEN_GUEST_HANDLE_PARAM(void) buf,
unsigned int len, domid_t domid, bool toaddr,
uint64_t pgd3)
{
@@ -169,7 +167,7 @@ unsigned int dbg_rw_mem(void * __user ad
if ( d )
{
if ( !d->is_dying )
- len = dbg_rw_guest_mem(d, addr, buf, len, toaddr, pgd3);
+ len = dbg_rw_guest_mem(d, gva, buf, len, toaddr, pgd3);
rcu_unlock_domain(d);
}
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -40,10 +40,8 @@
#ifdef CONFIG_GDBSX
static int gdbsx_guest_mem_io(domid_t domid, struct xen_domctl_gdbsx_memio *iop)
{
- void * __user gva = (void *)iop->gva, * __user uva = (void *)iop->uva;
-
- iop->remain = dbg_rw_mem(gva, uva, iop->len, domid,
- !!iop->gwr, iop->pgd3val);
+ iop->remain = dbg_rw_mem(iop->gva, guest_handle_from_ptr(iop->uva, void),
+ iop->len, domid, iop->gwr, iop->pgd3val);
return iop->remain ? -EFAULT : 0;
}
--- a/xen/include/asm-x86/debugger.h
+++ b/xen/include/asm-x86/debugger.h
@@ -93,9 +93,9 @@ static inline bool debugger_trap_entry(
#endif
#ifdef CONFIG_GDBSX
-unsigned int dbg_rw_mem(void * __user addr, void * __user buf,
+unsigned int dbg_rw_mem(unsigned long gva, XEN_GUEST_HANDLE_PARAM(void) buf,
unsigned int len, domid_t domid, bool toaddr,
- uint64_t pgd3);
+ unsigned long pgd3);
#endif
#endif /* __X86_DEBUGGER_H__ */
next prev parent reply other threads:[~2021-01-14 15:06 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-14 15:01 [PATCH 00/17] x86/PV: avoid speculation abuse through guest accessors plus Jan Beulich
2021-01-14 15:03 ` [PATCH 01/17] x86/shadow: use __put_user() instead of __copy_to_user() Jan Beulich
2021-01-14 15:04 ` [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants Jan Beulich
2021-02-05 15:43 ` Roger Pau Monné
2021-02-05 16:13 ` Jan Beulich
2021-02-05 16:18 ` Roger Pau Monné
2021-02-05 16:26 ` Jan Beulich
2021-02-09 13:07 ` Roger Pau Monné
2021-02-09 13:15 ` Jan Beulich
2021-02-09 14:46 ` Roger Pau Monné
2021-02-09 14:57 ` Jan Beulich
2021-02-09 15:23 ` Roger Pau Monné
2021-02-09 14:55 ` Roger Pau Monné
2021-02-09 15:14 ` Jan Beulich
2021-02-09 15:27 ` Roger Pau Monné
2021-01-14 15:04 ` [PATCH 03/17] x86: split __copy_{from,to}_user() " Jan Beulich
2021-02-09 16:06 ` Roger Pau Monné
2021-02-09 17:03 ` Jan Beulich
2021-01-14 15:04 ` [PATCH 04/17] x86/PV: harden guest memory accesses against speculative abuse Jan Beulich
2021-02-09 16:26 ` Roger Pau Monné
2021-02-10 16:55 ` Jan Beulich
2021-02-11 8:11 ` Roger Pau Monné
2021-02-11 11:28 ` Jan Beulich
2021-02-12 10:41 ` Roger Pau Monné
2021-02-12 12:48 ` Jan Beulich
2021-02-12 13:02 ` Roger Pau Monné
2021-02-12 13:15 ` Jan Beulich
2021-01-14 15:05 ` [PATCH 05/17] x86: rename {get,put}_user() to {get,put}_guest() Jan Beulich
2021-01-14 15:05 ` Jan Beulich [this message]
2021-01-14 15:06 ` [PATCH 07/17] x86: rename copy_{from,to}_user() to copy_{from,to}_guest_pv() Jan Beulich
2021-01-14 15:07 ` [PATCH 08/17] x86: move stac()/clac() from {get,put}_unsafe_asm() Jan Beulich
2021-01-14 15:07 ` [PATCH 09/17] x86/PV: use get_unsafe() instead of copy_from_unsafe() Jan Beulich
2021-01-14 15:08 ` [PATCH 10/17] x86/shadow: " Jan Beulich
2021-01-14 15:08 ` [PATCH 11/17] x86/shadow: polish shadow_write_entries() Jan Beulich
2021-01-14 15:09 ` [PATCH 12/17] x86/shadow: move shadow_set_l<N>e() to their own source file Jan Beulich
2021-01-14 15:09 ` [PATCH 13/17] x86/shadow: don't open-code SHF_* shorthands Jan Beulich
2021-01-14 15:10 ` [PATCH 14/17] x86/shadow: SH_type_l2h_shadow is PV-only Jan Beulich
2021-01-14 15:10 ` [PATCH 15/17] x86/shadow: drop SH_type_l2h_pae_shadow Jan Beulich
2021-01-22 13:11 ` Tim Deegan
2021-01-22 16:31 ` Jan Beulich
2021-01-22 20:02 ` Tim Deegan
2021-01-25 11:09 ` Jan Beulich
2021-01-25 11:33 ` Jan Beulich
2021-01-14 15:10 ` [PATCH 16/17] x86/shadow: only 4-level guest code needs building when !HVM Jan Beulich
2021-01-14 15:11 ` [PATCH 17/17] x86/shadow: adjust is_pv_*() checks Jan Beulich
2021-01-22 13:18 ` [PATCH 00/17] x86/PV: avoid speculation abuse through guest accessors plus Tim Deegan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0ba3d730-8bc6-0907-8e60-ce3176afa491@suse.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=elena.ufimtseva@oracle.com \
--cc=george.dunlap@citrix.com \
--cc=roger.pau@citrix.com \
--cc=tim@xen.org \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.