Xen-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [XEN PATCH] hvmloader: Fix reading ACPI PM1 CNT value
@ 2020-06-30 17:09 Anthony PERARD
  2020-07-01  7:52 ` Roger Pau Monné
  0 siblings, 1 reply; 3+ messages in thread
From: Anthony PERARD @ 2020-06-30 17:09 UTC (permalink / raw)
  To: xen-devel
  Cc: Wei Liu, Andrew Cooper, Ian Jackson, Jan Beulich, Anthony PERARD,
	Roger Pau Monné

In order to get the CNT value from QEMU, we were supposed to read a
word, according to the implementation in QEMU. But it has been lax and
allowed to read a single byte. This has changed with commit
5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in
memory_region_access_valid"") and result in hvmloader crashing on
the BUG_ON.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>

---

I'll try to have the QEMU implementation changes to allow reading a
byte, but it would probably by nice to not have to change qemu.
---
 tools/firmware/hvmloader/hvmloader.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/firmware/hvmloader/hvmloader.c b/tools/firmware/hvmloader/hvmloader.c
index 598a22627872..bdcbe4a26664 100644
--- a/tools/firmware/hvmloader/hvmloader.c
+++ b/tools/firmware/hvmloader/hvmloader.c
@@ -256,7 +256,7 @@ static const struct bios_config *detect_bios(void)
 
 static void acpi_enable_sci(void)
 {
-    uint8_t pm1a_cnt_val;
+    uint16_t pm1a_cnt_val;
 
 #define PIIX4_SMI_CMD_IOPORT 0xb2
 #define PIIX4_ACPI_ENABLE    0xf1
@@ -265,11 +265,11 @@ static void acpi_enable_sci(void)
      * PIIX4 emulation in QEMU has SCI_EN=0 by default. We have no legacy
      * SMM implementation, so give ACPI control to the OSPM immediately.
      */
-    pm1a_cnt_val = inb(ACPI_PM1A_CNT_BLK_ADDRESS_V1);
+    pm1a_cnt_val = inw(ACPI_PM1A_CNT_BLK_ADDRESS_V1);
     if ( !(pm1a_cnt_val & ACPI_PM1C_SCI_EN) )
         outb(PIIX4_SMI_CMD_IOPORT, PIIX4_ACPI_ENABLE);
 
-    pm1a_cnt_val = inb(ACPI_PM1A_CNT_BLK_ADDRESS_V1);
+    pm1a_cnt_val = inw(ACPI_PM1A_CNT_BLK_ADDRESS_V1);
     BUG_ON(!(pm1a_cnt_val & ACPI_PM1C_SCI_EN));
 }
 
-- 
Anthony PERARD



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [XEN PATCH] hvmloader: Fix reading ACPI PM1 CNT value
  2020-06-30 17:09 [XEN PATCH] hvmloader: Fix reading ACPI PM1 CNT value Anthony PERARD
@ 2020-07-01  7:52 ` Roger Pau Monné
  2020-07-01  9:10   ` Anthony PERARD
  0 siblings, 1 reply; 3+ messages in thread
From: Roger Pau Monné @ 2020-07-01  7:52 UTC (permalink / raw)
  To: Anthony PERARD
  Cc: xen-devel, Ian Jackson, Wei Liu, Jan Beulich, Andrew Cooper

On Tue, Jun 30, 2020 at 06:09:13PM +0100, Anthony PERARD wrote:
> In order to get the CNT value from QEMU, we were supposed to read a
> word, according to the implementation in QEMU. But it has been lax and
> allowed to read a single byte. This has changed with commit
> 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in
> memory_region_access_valid"") and result in hvmloader crashing on
> the BUG_ON.

This is a bug on the QEMU side, the ACPI spec states: "Accesses to PM1
control registers are accessed through byte and word accesses.".
That's on section 4.8.3.2.1 PM1 Control Registers of my copy of the
ACPI spec (6.2A).

> 
> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>

I'm fine with this if such bogus behavior has made it's way into a
release version of QEMU, but it needs to state it's a workaround for a
QEMU bug, not a bug in hvmloader.

IMO the QEMU change should be reverted.

Thanks, Roger.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [XEN PATCH] hvmloader: Fix reading ACPI PM1 CNT value
  2020-07-01  7:52 ` Roger Pau Monné
@ 2020-07-01  9:10   ` Anthony PERARD
  0 siblings, 0 replies; 3+ messages in thread
From: Anthony PERARD @ 2020-07-01  9:10 UTC (permalink / raw)
  To: Roger Pau Monné
  Cc: xen-devel, Ian Jackson, Wei Liu, Jan Beulich, Andrew Cooper

On Wed, Jul 01, 2020 at 09:52:57AM +0200, Roger Pau Monné wrote:
> On Tue, Jun 30, 2020 at 06:09:13PM +0100, Anthony PERARD wrote:
> > In order to get the CNT value from QEMU, we were supposed to read a
> > word, according to the implementation in QEMU. But it has been lax and
> > allowed to read a single byte. This has changed with commit
> > 5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in
> > memory_region_access_valid"") and result in hvmloader crashing on
> > the BUG_ON.
> 
> This is a bug on the QEMU side, the ACPI spec states: "Accesses to PM1
> control registers are accessed through byte and word accesses.".
> That's on section 4.8.3.2.1 PM1 Control Registers of my copy of the
> ACPI spec (6.2A).

I guess we can ignore this patch then, and I should write a patch for
QEMU instead.

> I'm fine with this if such bogus behavior has made it's way into a
> release version of QEMU, but it needs to state it's a workaround for a
> QEMU bug, not a bug in hvmloader.

It hasn't, but might.

> IMO the QEMU change should be reverted.

The change can't be reverted, it is to fix a CVE and isn't related to
ACPI. But we can fix the emulator.

> Thanks, Roger.

Thanks,

-- 
Anthony PERARD


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-30 17:09 [XEN PATCH] hvmloader: Fix reading ACPI PM1 CNT value Anthony PERARD
2020-07-01  7:52 ` Roger Pau Monné
2020-07-01  9:10   ` Anthony PERARD

Xen-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/xen-devel/0 xen-devel/git/0.git
	git clone --mirror https://lore.kernel.org/xen-devel/1 xen-devel/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 xen-devel xen-devel/ https://lore.kernel.org/xen-devel \
		xen-devel@lists.xenproject.org xen-devel@lists.xen.org
	public-inbox-index xen-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.xenproject.lists.xen-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git