Jan Beulich
2010-Jul-05 08:01 UTC
[Xen-devel] [PATCH] trace: further security fixes: add compiler memory barriers
This is to ensure fields shared writably with Dom0 get read only once
for any consistency checking followed by actual calculations.
I realized there was another multiple-read issue, a fix for which is
also included (which at once simplifies __insert_record()).
Signed-off-by: Jan Beulich <jbeulich@novell.com>
--- a/xen/common/trace.c 2010-07-01 10:05:54.000000000 +0200
+++ b/xen/common/trace.c 2010-07-01 14:01:47.000000000 +0200
@@ -437,11 +437,13 @@ static inline bool_t bogus(u32 prod, u32
static inline u32 calc_unconsumed_bytes(const struct t_buf *buf)
{
u32 prod = buf->prod, cons = buf->cons;
- s32 x = prod - cons;
+ s32 x;
+ barrier(); /* must read buf->prod and buf->cons only once */
if ( bogus(prod, cons) )
return data_size;
+ x = prod - cons;
if ( x < 0 )
x += 2*data_size;
@@ -453,12 +455,14 @@ static inline u32 calc_unconsumed_bytes(
static inline u32 calc_bytes_to_wrap(const struct t_buf *buf)
{
- u32 prod = buf->prod;
- s32 x = data_size - prod;
+ u32 prod = buf->prod, cons = buf->cons;
+ s32 x;
- if ( bogus(prod, buf->cons) )
+ barrier(); /* must read buf->prod and buf->cons only once */
+ if ( bogus(prod, cons) )
return 0;
+ x = data_size - prod;
if ( x <= 0 )
x += data_size;
@@ -473,11 +477,14 @@ static inline u32 calc_bytes_avail(const
return data_size - calc_unconsumed_bytes(buf);
}
-static inline struct t_rec *next_record(const struct t_buf *buf)
+static inline struct t_rec *next_record(const struct t_buf *buf,
+ uint32_t *next)
{
- u32 x = buf->prod;
+ u32 x = buf->prod, cons = buf->cons;
- if ( !tb_init_done || bogus(x, buf->cons) )
+ barrier(); /* must read buf->prod and buf->cons only once */
+ *next = x;
+ if ( !tb_init_done || bogus(x, cons) )
return NULL;
if ( x >= data_size )
@@ -504,23 +511,21 @@ static inline void __insert_record(volat
BUG_ON(local_rec_size != rec_size);
BUG_ON(extra & 3);
+ rec = next_record(buf, &next);
+ if ( !rec )
+ return;
/* Double-check once more that we have enough space.
* Don''t bugcheck here, in case the userland tool is doing
* something stupid. */
- next = calc_bytes_avail(buf);
- if ( next < rec_size )
+ if ( (unsigned char *)rec + rec_size > this_cpu(t_data) + data_size )
{
if ( printk_ratelimit() )
printk(XENLOG_WARNING
- "%s: avail=%u (size=%08x prod=%08x cons=%08x)
rec=%u\n",
- __func__, next, data_size, buf->prod, buf->cons,
rec_size);
+ "%s: size=%08x prod=%08x cons=%08x rec=%u\n",
+ __func__, data_size, next, buf->cons, rec_size);
return;
}
- rmb();
- rec = next_record(buf);
- if ( !rec )
- return;
rec->event = event;
rec->extra_u32 = extra_word;
dst = (unsigned char *)rec->u.nocycles.extra_u32;
@@ -537,9 +542,6 @@ static inline void __insert_record(volat
wmb();
- next = buf->prod;
- if ( bogus(next, buf->cons) )
- return;
next += rec_size;
if ( next >= 2*data_size )
next -= 2*data_size;
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Keir Fraser
2010-Jul-05 08:06 UTC
Re: [Xen-devel] [PATCH] trace: further security fixes: add compiler memory barriers
I think I already applied this patch. K. On 05/07/2010 09:01, "Jan Beulich" <JBeulich@novell.com> wrote:> This is to ensure fields shared writably with Dom0 get read only once > for any consistency checking followed by actual calculations. > > I realized there was another multiple-read issue, a fix for which is > also included (which at once simplifies __insert_record()). > > Signed-off-by: Jan Beulich <jbeulich@novell.com> > > --- a/xen/common/trace.c 2010-07-01 10:05:54.000000000 +0200 > +++ b/xen/common/trace.c 2010-07-01 14:01:47.000000000 +0200 > @@ -437,11 +437,13 @@ static inline bool_t bogus(u32 prod, u32 > static inline u32 calc_unconsumed_bytes(const struct t_buf *buf) > { > u32 prod = buf->prod, cons = buf->cons; > - s32 x = prod - cons; > + s32 x; > > + barrier(); /* must read buf->prod and buf->cons only once */ > if ( bogus(prod, cons) ) > return data_size; > > + x = prod - cons; > if ( x < 0 ) > x += 2*data_size; > > @@ -453,12 +455,14 @@ static inline u32 calc_unconsumed_bytes( > > static inline u32 calc_bytes_to_wrap(const struct t_buf *buf) > { > - u32 prod = buf->prod; > - s32 x = data_size - prod; > + u32 prod = buf->prod, cons = buf->cons; > + s32 x; > > - if ( bogus(prod, buf->cons) ) > + barrier(); /* must read buf->prod and buf->cons only once */ > + if ( bogus(prod, cons) ) > return 0; > > + x = data_size - prod; > if ( x <= 0 ) > x += data_size; > > @@ -473,11 +477,14 @@ static inline u32 calc_bytes_avail(const > return data_size - calc_unconsumed_bytes(buf); > } > > -static inline struct t_rec *next_record(const struct t_buf *buf) > +static inline struct t_rec *next_record(const struct t_buf *buf, > + uint32_t *next) > { > - u32 x = buf->prod; > + u32 x = buf->prod, cons = buf->cons; > > - if ( !tb_init_done || bogus(x, buf->cons) ) > + barrier(); /* must read buf->prod and buf->cons only once */ > + *next = x; > + if ( !tb_init_done || bogus(x, cons) ) > return NULL; > > if ( x >= data_size ) > @@ -504,23 +511,21 @@ static inline void __insert_record(volat > BUG_ON(local_rec_size != rec_size); > BUG_ON(extra & 3); > > + rec = next_record(buf, &next); > + if ( !rec ) > + return; > /* Double-check once more that we have enough space. > * Don''t bugcheck here, in case the userland tool is doing > * something stupid. */ > - next = calc_bytes_avail(buf); > - if ( next < rec_size ) > + if ( (unsigned char *)rec + rec_size > this_cpu(t_data) + data_size ) > { > if ( printk_ratelimit() ) > printk(XENLOG_WARNING > - "%s: avail=%u (size=%08x prod=%08x cons=%08x) rec=%u\n", > - __func__, next, data_size, buf->prod, buf->cons, > rec_size); > + "%s: size=%08x prod=%08x cons=%08x rec=%u\n", > + __func__, data_size, next, buf->cons, rec_size); > return; > } > - rmb(); > > - rec = next_record(buf); > - if ( !rec ) > - return; > rec->event = event; > rec->extra_u32 = extra_word; > dst = (unsigned char *)rec->u.nocycles.extra_u32; > @@ -537,9 +542,6 @@ static inline void __insert_record(volat > > wmb(); > > - next = buf->prod; > - if ( bogus(next, buf->cons) ) > - return; > next += rec_size; > if ( next >= 2*data_size ) > next -= 2*data_size; > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Jan Beulich
2010-Jul-05 08:57 UTC
Re: [Xen-devel] [PATCH] trace: further security fixes: add compiler memory barriers
>>> On 05.07.10 at 10:06, Keir Fraser <keir.fraser@eu.citrix.com> wrote: > I think I already applied this patch.Indeed - I forgot to check the staging tree before sending, and assumed you would be waiting for George''s ack. Jan> On 05/07/2010 09:01, "Jan Beulich" <JBeulich@novell.com> wrote: > >> This is to ensure fields shared writably with Dom0 get read only once >> for any consistency checking followed by actual calculations. >> >> I realized there was another multiple-read issue, a fix for which is >> also included (which at once simplifies __insert_record()). >> >> Signed-off-by: Jan Beulich <jbeulich@novell.com> >> >> --- a/xen/common/trace.c 2010-07-01 10:05:54.000000000 +0200 >> +++ b/xen/common/trace.c 2010-07-01 14:01:47.000000000 +0200 >> @@ -437,11 +437,13 @@ static inline bool_t bogus(u32 prod, u32 >> static inline u32 calc_unconsumed_bytes(const struct t_buf *buf) >> { >> u32 prod = buf->prod, cons = buf->cons; >> - s32 x = prod - cons; >> + s32 x; >> >> + barrier(); /* must read buf->prod and buf->cons only once */ >> if ( bogus(prod, cons) ) >> return data_size; >> >> + x = prod - cons; >> if ( x < 0 ) >> x += 2*data_size; >> >> @@ -453,12 +455,14 @@ static inline u32 calc_unconsumed_bytes( >> >> static inline u32 calc_bytes_to_wrap(const struct t_buf *buf) >> { >> - u32 prod = buf->prod; >> - s32 x = data_size - prod; >> + u32 prod = buf->prod, cons = buf->cons; >> + s32 x; >> >> - if ( bogus(prod, buf->cons) ) >> + barrier(); /* must read buf->prod and buf->cons only once */ >> + if ( bogus(prod, cons) ) >> return 0; >> >> + x = data_size - prod; >> if ( x <= 0 ) >> x += data_size; >> >> @@ -473,11 +477,14 @@ static inline u32 calc_bytes_avail(const >> return data_size - calc_unconsumed_bytes(buf); >> } >> >> -static inline struct t_rec *next_record(const struct t_buf *buf) >> +static inline struct t_rec *next_record(const struct t_buf *buf, >> + uint32_t *next) >> { >> - u32 x = buf->prod; >> + u32 x = buf->prod, cons = buf->cons; >> >> - if ( !tb_init_done || bogus(x, buf->cons) ) >> + barrier(); /* must read buf->prod and buf->cons only once */ >> + *next = x; >> + if ( !tb_init_done || bogus(x, cons) ) >> return NULL; >> >> if ( x >= data_size ) >> @@ -504,23 +511,21 @@ static inline void __insert_record(volat >> BUG_ON(local_rec_size != rec_size); >> BUG_ON(extra & 3); >> >> + rec = next_record(buf, &next); >> + if ( !rec ) >> + return; >> /* Double-check once more that we have enough space. >> * Don''t bugcheck here, in case the userland tool is doing >> * something stupid. */ >> - next = calc_bytes_avail(buf); >> - if ( next < rec_size ) >> + if ( (unsigned char *)rec + rec_size > this_cpu(t_data) + data_size ) >> { >> if ( printk_ratelimit() ) >> printk(XENLOG_WARNING >> - "%s: avail=%u (size=%08x prod=%08x cons=%08x) rec=%u\n", >> - __func__, next, data_size, buf->prod, buf->cons, >> rec_size); >> + "%s: size=%08x prod=%08x cons=%08x rec=%u\n", >> + __func__, data_size, next, buf->cons, rec_size); >> return; >> } >> - rmb(); >> >> - rec = next_record(buf); >> - if ( !rec ) >> - return; >> rec->event = event; >> rec->extra_u32 = extra_word; >> dst = (unsigned char *)rec->u.nocycles.extra_u32; >> @@ -537,9 +542,6 @@ static inline void __insert_record(volat >> >> wmb(); >> >> - next = buf->prod; >> - if ( bogus(next, buf->cons) ) >> - return; >> next += rec_size; >> if ( next >= 2*data_size ) >> next -= 2*data_size; >> >> >>_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel