From: "Jan Beulich" <JBeulich@suse.com>
To: Tim Deegan <tim@xen.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
Keir Fraser <keir@xen.org>, Don Slutz <dslutz@verizon.com>,
xen-devel@lists.xen.org
Subject: Re: [PATCH 1/1] x86/hvm: prevent hvm_free_ioreq_gmfn() clobber of arbitrary memory
Date: Thu, 16 Apr 2015 12:32:44 +0100 [thread overview]
Message-ID: <552FB9FC0200007800072BCD@mail.emea.novell.com> (raw)
In-Reply-To: <20150416105312.GE13443@deinos.phlegethon.org>
>>> On 16.04.15 at 12:53, <tim@xen.org> wrote:
> At 14:17 +0100 on 14 Apr (1429021061), Andrew Cooper wrote:
>> On 14/04/15 12:47, Jan Beulich wrote:
>> >>>> On 13.04.15 at 18:01, <dslutz@verizon.com> wrote:
>> >> --- a/xen/arch/x86/hvm/hvm.c
>> >> +++ b/xen/arch/x86/hvm/hvm.c
>> >> @@ -536,8 +536,9 @@ static int hvm_alloc_ioreq_gmfn(struct domain *d,
>> >> unsigned long *gmfn)
>> >>
>> >> static void hvm_free_ioreq_gmfn(struct domain *d, unsigned long gmfn)
>> >> {
>> >> - unsigned int i = gmfn - d->arch.hvm_domain.ioreq_gmfn.base;
>> >> + unsigned long i = gmfn - d->arch.hvm_domain.ioreq_gmfn.base;
>> >>
>> >> + BUG_ON(i >= sizeof(d->arch.hvm_domain.ioreq_gmfn.mask) * 8);
>> >> clear_bit(i, &d->arch.hvm_domain.ioreq_gmfn.mask);
>> >> }
>> > I'd be happier with an ASSERT() - Andrew?
>>
>> If I recall, this is a follow on from the compiler error, where gmfn now
>> gets initialised to ~0 to avoid a build failure.
>>
>> If gcc is correct and there is a way for gmfn to be used, then the
>> clear_bit() here clobber memory. The BUG_ON() serves as a protection
>> against the clobbering.
>>
>> If however gcc was actually wrong, then the code here is actually fine,
>> and a BUG_ON() or ASSERT() will never actually trigger.
>>
>> In addition, not a hotpath in the slightest, so performance isn't a concern.
>>
>>
>> I have still not managed to conclusively work out whether gcc is correct
>> or wrong. As a result, I would lean in the direction of BUG_ON() rather
>> than ASSERT(), out of paranoia. However, I would prefer even more a
>> solution where we were certain that gmfn isn't bogus.
>
> AFAICT GCC is wrong, though the code is confusing enough to me that I
> don't blame GCC for being confused too. :)
>
> I would be inclined to use a bigger hammer here. IMO refactoring like
> this makes it easier to reason about (compile tested only):
This looks like a pretty nice cleanup; I particularly like the 4 labels
going away.
Jan
next prev parent reply other threads:[~2015-04-16 11:32 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-13 16:01 [PATCH 1/1] x86/hvm: prevent hvm_free_ioreq_gmfn() clobber of arbitrary memory Don Slutz
2015-04-14 11:47 ` Jan Beulich
2015-04-14 13:17 ` Andrew Cooper
2015-04-14 22:54 ` Don Slutz
2015-04-16 10:53 ` Tim Deegan
2015-04-16 11:32 ` Jan Beulich [this message]
2015-04-16 16:37 ` Tim Deegan
2015-04-16 18:44 ` Andrew Cooper
2015-04-17 7:45 ` Jan Beulich
2015-04-23 13:25 Paul Durrant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=552FB9FC0200007800072BCD@mail.emea.novell.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=dslutz@verizon.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.