Jan Beulich
2010-Jul-05 08:01 UTC
[Xen-devel] [PATCH] trace: further security fixes: add compiler memory barriers
This is to ensure fields shared writably with Dom0 get read only once for any consistency checking followed by actual calculations. I realized there was another multiple-read issue, a fix for which is also included (which at once simplifies __insert_record()). Signed-off-by: Jan Beulich <jbeulich@novell.com> --- a/xen/common/trace.c 2010-07-01 10:05:54.000000000 +0200 +++ b/xen/common/trace.c 2010-07-01 14:01:47.000000000 +0200 @@ -437,11 +437,13 @@ static inline bool_t bogus(u32 prod, u32 static inline u32 calc_unconsumed_bytes(const struct t_buf *buf) { u32 prod = buf->prod, cons = buf->cons; - s32 x = prod - cons; + s32 x; + barrier(); /* must read buf->prod and buf->cons only once */ if ( bogus(prod, cons) ) return data_size; + x = prod - cons; if ( x < 0 ) x += 2*data_size; @@ -453,12 +455,14 @@ static inline u32 calc_unconsumed_bytes( static inline u32 calc_bytes_to_wrap(const struct t_buf *buf) { - u32 prod = buf->prod; - s32 x = data_size - prod; + u32 prod = buf->prod, cons = buf->cons; + s32 x; - if ( bogus(prod, buf->cons) ) + barrier(); /* must read buf->prod and buf->cons only once */ + if ( bogus(prod, cons) ) return 0; + x = data_size - prod; if ( x <= 0 ) x += data_size; @@ -473,11 +477,14 @@ static inline u32 calc_bytes_avail(const return data_size - calc_unconsumed_bytes(buf); } -static inline struct t_rec *next_record(const struct t_buf *buf) +static inline struct t_rec *next_record(const struct t_buf *buf, + uint32_t *next) { - u32 x = buf->prod; + u32 x = buf->prod, cons = buf->cons; - if ( !tb_init_done || bogus(x, buf->cons) ) + barrier(); /* must read buf->prod and buf->cons only once */ + *next = x; + if ( !tb_init_done || bogus(x, cons) ) return NULL; if ( x >= data_size ) @@ -504,23 +511,21 @@ static inline void __insert_record(volat BUG_ON(local_rec_size != rec_size); BUG_ON(extra & 3); + rec = next_record(buf, &next); + if ( !rec ) + return; /* Double-check once more that we have enough space. * Don''t bugcheck here, in case the userland tool is doing * something stupid. */ - next = calc_bytes_avail(buf); - if ( next < rec_size ) + if ( (unsigned char *)rec + rec_size > this_cpu(t_data) + data_size ) { if ( printk_ratelimit() ) printk(XENLOG_WARNING - "%s: avail=%u (size=%08x prod=%08x cons=%08x) rec=%u\n", - __func__, next, data_size, buf->prod, buf->cons, rec_size); + "%s: size=%08x prod=%08x cons=%08x rec=%u\n", + __func__, data_size, next, buf->cons, rec_size); return; } - rmb(); - rec = next_record(buf); - if ( !rec ) - return; rec->event = event; rec->extra_u32 = extra_word; dst = (unsigned char *)rec->u.nocycles.extra_u32; @@ -537,9 +542,6 @@ static inline void __insert_record(volat wmb(); - next = buf->prod; - if ( bogus(next, buf->cons) ) - return; next += rec_size; if ( next >= 2*data_size ) next -= 2*data_size; _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Keir Fraser
2010-Jul-05 08:06 UTC
Re: [Xen-devel] [PATCH] trace: further security fixes: add compiler memory barriers
I think I already applied this patch. K. On 05/07/2010 09:01, "Jan Beulich" <JBeulich@novell.com> wrote:> This is to ensure fields shared writably with Dom0 get read only once > for any consistency checking followed by actual calculations. > > I realized there was another multiple-read issue, a fix for which is > also included (which at once simplifies __insert_record()). > > Signed-off-by: Jan Beulich <jbeulich@novell.com> > > --- a/xen/common/trace.c 2010-07-01 10:05:54.000000000 +0200 > +++ b/xen/common/trace.c 2010-07-01 14:01:47.000000000 +0200 > @@ -437,11 +437,13 @@ static inline bool_t bogus(u32 prod, u32 > static inline u32 calc_unconsumed_bytes(const struct t_buf *buf) > { > u32 prod = buf->prod, cons = buf->cons; > - s32 x = prod - cons; > + s32 x; > > + barrier(); /* must read buf->prod and buf->cons only once */ > if ( bogus(prod, cons) ) > return data_size; > > + x = prod - cons; > if ( x < 0 ) > x += 2*data_size; > > @@ -453,12 +455,14 @@ static inline u32 calc_unconsumed_bytes( > > static inline u32 calc_bytes_to_wrap(const struct t_buf *buf) > { > - u32 prod = buf->prod; > - s32 x = data_size - prod; > + u32 prod = buf->prod, cons = buf->cons; > + s32 x; > > - if ( bogus(prod, buf->cons) ) > + barrier(); /* must read buf->prod and buf->cons only once */ > + if ( bogus(prod, cons) ) > return 0; > > + x = data_size - prod; > if ( x <= 0 ) > x += data_size; > > @@ -473,11 +477,14 @@ static inline u32 calc_bytes_avail(const > return data_size - calc_unconsumed_bytes(buf); > } > > -static inline struct t_rec *next_record(const struct t_buf *buf) > +static inline struct t_rec *next_record(const struct t_buf *buf, > + uint32_t *next) > { > - u32 x = buf->prod; > + u32 x = buf->prod, cons = buf->cons; > > - if ( !tb_init_done || bogus(x, buf->cons) ) > + barrier(); /* must read buf->prod and buf->cons only once */ > + *next = x; > + if ( !tb_init_done || bogus(x, cons) ) > return NULL; > > if ( x >= data_size ) > @@ -504,23 +511,21 @@ static inline void __insert_record(volat > BUG_ON(local_rec_size != rec_size); > BUG_ON(extra & 3); > > + rec = next_record(buf, &next); > + if ( !rec ) > + return; > /* Double-check once more that we have enough space. > * Don''t bugcheck here, in case the userland tool is doing > * something stupid. */ > - next = calc_bytes_avail(buf); > - if ( next < rec_size ) > + if ( (unsigned char *)rec + rec_size > this_cpu(t_data) + data_size ) > { > if ( printk_ratelimit() ) > printk(XENLOG_WARNING > - "%s: avail=%u (size=%08x prod=%08x cons=%08x) rec=%u\n", > - __func__, next, data_size, buf->prod, buf->cons, > rec_size); > + "%s: size=%08x prod=%08x cons=%08x rec=%u\n", > + __func__, data_size, next, buf->cons, rec_size); > return; > } > - rmb(); > > - rec = next_record(buf); > - if ( !rec ) > - return; > rec->event = event; > rec->extra_u32 = extra_word; > dst = (unsigned char *)rec->u.nocycles.extra_u32; > @@ -537,9 +542,6 @@ static inline void __insert_record(volat > > wmb(); > > - next = buf->prod; > - if ( bogus(next, buf->cons) ) > - return; > next += rec_size; > if ( next >= 2*data_size ) > next -= 2*data_size; > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Jan Beulich
2010-Jul-05 08:57 UTC
Re: [Xen-devel] [PATCH] trace: further security fixes: add compiler memory barriers
>>> On 05.07.10 at 10:06, Keir Fraser <keir.fraser@eu.citrix.com> wrote: > I think I already applied this patch.Indeed - I forgot to check the staging tree before sending, and assumed you would be waiting for George''s ack. Jan> On 05/07/2010 09:01, "Jan Beulich" <JBeulich@novell.com> wrote: > >> This is to ensure fields shared writably with Dom0 get read only once >> for any consistency checking followed by actual calculations. >> >> I realized there was another multiple-read issue, a fix for which is >> also included (which at once simplifies __insert_record()). >> >> Signed-off-by: Jan Beulich <jbeulich@novell.com> >> >> --- a/xen/common/trace.c 2010-07-01 10:05:54.000000000 +0200 >> +++ b/xen/common/trace.c 2010-07-01 14:01:47.000000000 +0200 >> @@ -437,11 +437,13 @@ static inline bool_t bogus(u32 prod, u32 >> static inline u32 calc_unconsumed_bytes(const struct t_buf *buf) >> { >> u32 prod = buf->prod, cons = buf->cons; >> - s32 x = prod - cons; >> + s32 x; >> >> + barrier(); /* must read buf->prod and buf->cons only once */ >> if ( bogus(prod, cons) ) >> return data_size; >> >> + x = prod - cons; >> if ( x < 0 ) >> x += 2*data_size; >> >> @@ -453,12 +455,14 @@ static inline u32 calc_unconsumed_bytes( >> >> static inline u32 calc_bytes_to_wrap(const struct t_buf *buf) >> { >> - u32 prod = buf->prod; >> - s32 x = data_size - prod; >> + u32 prod = buf->prod, cons = buf->cons; >> + s32 x; >> >> - if ( bogus(prod, buf->cons) ) >> + barrier(); /* must read buf->prod and buf->cons only once */ >> + if ( bogus(prod, cons) ) >> return 0; >> >> + x = data_size - prod; >> if ( x <= 0 ) >> x += data_size; >> >> @@ -473,11 +477,14 @@ static inline u32 calc_bytes_avail(const >> return data_size - calc_unconsumed_bytes(buf); >> } >> >> -static inline struct t_rec *next_record(const struct t_buf *buf) >> +static inline struct t_rec *next_record(const struct t_buf *buf, >> + uint32_t *next) >> { >> - u32 x = buf->prod; >> + u32 x = buf->prod, cons = buf->cons; >> >> - if ( !tb_init_done || bogus(x, buf->cons) ) >> + barrier(); /* must read buf->prod and buf->cons only once */ >> + *next = x; >> + if ( !tb_init_done || bogus(x, cons) ) >> return NULL; >> >> if ( x >= data_size ) >> @@ -504,23 +511,21 @@ static inline void __insert_record(volat >> BUG_ON(local_rec_size != rec_size); >> BUG_ON(extra & 3); >> >> + rec = next_record(buf, &next); >> + if ( !rec ) >> + return; >> /* Double-check once more that we have enough space. >> * Don''t bugcheck here, in case the userland tool is doing >> * something stupid. */ >> - next = calc_bytes_avail(buf); >> - if ( next < rec_size ) >> + if ( (unsigned char *)rec + rec_size > this_cpu(t_data) + data_size ) >> { >> if ( printk_ratelimit() ) >> printk(XENLOG_WARNING >> - "%s: avail=%u (size=%08x prod=%08x cons=%08x) rec=%u\n", >> - __func__, next, data_size, buf->prod, buf->cons, >> rec_size); >> + "%s: size=%08x prod=%08x cons=%08x rec=%u\n", >> + __func__, data_size, next, buf->cons, rec_size); >> return; >> } >> - rmb(); >> >> - rec = next_record(buf); >> - if ( !rec ) >> - return; >> rec->event = event; >> rec->extra_u32 = extra_word; >> dst = (unsigned char *)rec->u.nocycles.extra_u32; >> @@ -537,9 +542,6 @@ static inline void __insert_record(volat >> >> wmb(); >> >> - next = buf->prod; >> - if ( bogus(next, buf->cons) ) >> - return; >> next += rec_size; >> if ( next >= 2*data_size ) >> next -= 2*data_size; >> >> >>_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel