From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1422723AbcFMK5j (ORCPT <rfc822;w@1wt.eu>);
	Mon, 13 Jun 2016 06:57:39 -0400
Received: from smtp.citrix.com ([66.165.176.89]:12758 "EHLO SMTP.CITRIX.COM"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S964910AbcFMK5i (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 13 Jun 2016 06:57:38 -0400
X-IronPort-AV: E=Sophos;i="5.26,466,1459814400"; 
   d="scan'208";a="360017179"
Subject: Re: [Xen-devel] [PATCH] xen: grant-table: Check truncation when
 giving access to a frame
To: Julien Grall <julien.grall@arm.com>, <boris.ostrovsky@oracle.com>,
        <david.vrabel@citrix.com>, <jgross@suse.com>, <sstabellini@kernel.org>,
        <konrad.wilk@oracle.com>
References: <1465815046-5390-1-git-send-email-julien.grall@arm.com>
CC: <steve.capper@arm.com>, <andrew.cooper3@citrix.com>,
        <linux-kernel@vger.kernel.org>, <xen-devel@lists.xen.org>,
        <JBeulich@suse.com>
From: David Vrabel <david.vrabel@citrix.com>
Message-ID: <575E9198.70103@citrix.com>
Date: Mon, 13 Jun 2016 11:57:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Icedove/38.5.0
MIME-Version: 1.0
In-Reply-To: <1465815046-5390-1-git-send-email-julien.grall@arm.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-DLP: MIA1
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 13/06/16 11:50, Julien Grall wrote:
> The version 1 of the grant-table protocol only supports frame encoded on
> 32-bit.
> 
> When the platform is supporting 48-bit physical address, the frame will
> be encoded on 36-bit which will lead a truncation and give access to
> the wrong frame.
> 
> On ARM Xen will always allow the guest to use all the physical address,
> although today the RAM is always located under 40-bits (see
> xen/include/public/arch-arm.h).
> 
> Add a truncation check in gnttab_update_entry_v1 to prevent the guest to
> give access to the wrong frame.

In hindsight, we shouldn't have dropped the V2 support from Linux.
Should we reinstate it?

David

> Signed-off-by: Julien Grall <julien.grall@arm.com>
> 
> ---
>     This is limiting us to a 44-bit address space whilst ARM can support
>     up to 48-bit today. This number of bit will increase to 52-bit in
>     upcoming processors [1].
> 
>     It might be good to start thinking to extend the version 1 of the
>     protocol to use 64-bit frame number.
> 
>     [1] https://community.arm.com/groups/processors/blog/2016/01/05/armv8-a-architecture-evolution
> ---
>  drivers/xen/grant-table.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
> index bb36b1e..f47c2e99 100644
> --- a/drivers/xen/grant-table.c
> +++ b/drivers/xen/grant-table.c
> @@ -224,6 +224,13 @@ static void gnttab_update_entry_v1(grant_ref_t ref, domid_t domid,
>  {
>  	gnttab_shared.v1[ref].domid = domid;
>  	gnttab_shared.v1[ref].frame = frame;
> +
> +	/*
> +	 * V1 only supports 32-bit frame, check the truncation
> +	 * to avoid giving access to the wrong frame.
> +	 */
> +	BUG_ON(gnttab_shared.v1[ref].frame != frame);
> +
>  	wmb();
>  	gnttab_shared.v1[ref].flags = flags;
>  }
>