When interacting with io apic, a guest can specify values that are used
as index to structures, and whose values are not compared against
upper bounds to prevent speculative out-of-bound accesses. This change
prevents these speculative accesses.
Furthermore, variables are initialized and the compiler is asked to not
optimized these initializations, as the uninitialized variables might be
used in a speculative out-of-bound access. Out of the four initialized
variables, two are potentially problematic, namely ones in the functions
vioapic_irq_positive_edge and vioapic_get_trigger_mode.
As the two problematic variables are both used in the common function
gsi_vioapic, the mitigation is implemented there. As the access pattern
of the currently non-guest-controlled functions might change in the
future as well, the other variables are initialized as well.
This is part of the speculative hardening effort.
Signed-off-by: Norbert Manthey
---
Notes:
v7: mention speculative hardening in commit message
fix comment typo
drop 'guest controlled' from commit message
xen/arch/x86/hvm/vioapic.c | 28 ++--
1 file changed, 22 insertions(+), 6 deletions(-)
diff --git a/xen/arch/x86/hvm/vioapic.c b/xen/arch/x86/hvm/vioapic.c
--- a/xen/arch/x86/hvm/vioapic.c
+++ b/xen/arch/x86/hvm/vioapic.c
@@ -30,6 +30,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -66,6 +67,12 @@ static struct hvm_vioapic *gsi_vioapic(const struct domain
*d,
{
unsigned int i;
+/*
+ * Make sure the compiler does not optimize away the initialization done by
+ * callers
+ */
+OPTIMIZER_HIDE_VAR(*pin);
+
for ( i = 0; i < d->arch.hvm.nr_vioapics; i++ )
{
struct hvm_vioapic *vioapic = domain_vioapic(d, i);
@@ -117,7 +124,8 @@ static uint32_t vioapic_read_indirect(const struct
hvm_vioapic *vioapic)
break;
}
-redir_content = vioapic->redirtbl[redir_index].bits;
+redir_content = vioapic->redirtbl[array_index_nospec(redir_index,
+ vioapic->nr_pins)].bits;
result = (vioapic->ioregsel & 1) ? (redir_content >> 32)
: redir_content;
break;
@@ -212,7 +220,15 @@ static void vioapic_write_redirent(
struct hvm_irq *hvm_irq = hvm_domain_irq(d);
union vioapic_redir_entry *pent, ent;
int unmasked = 0;
-unsigned int gsi = vioapic->base_gsi + idx;
+unsigned int gsi;
+
+/* Callers of this function should make sure idx is bounded appropriately
*/
+ASSERT(idx < vioapic->nr_pins);
+
+/* Make sure no out-of-bounds value for idx can be used */
+idx = array_index_nospec(idx, vioapic->nr_pins);
+
+gsi = vioapic->base_gsi + idx;
spin_lock(>arch.hvm.irq_lock);
@@ -467,7 +483,7 @@ static void vioapic_deliver(struct hvm_vioapic *vioapic,
unsigned int pin)
void vioapic_irq_positive_edge(struct domain *d, unsigned int irq)
{
-unsigned int pin;
+unsigned int pin = 0; /* See gsi_vioapic */
struct hvm_vioapic *vioapic = gsi_vioapic(d, irq, );
union vioapic_redir_entry *ent;
@@ -542,7 +558,7 @@ void vioapic_update_EOI(struct domain *d, u8 vector)
int vioapic_get_mask(const struct domain *d, unsigned int gsi)
{
-unsigned int pin;
+unsigned int pin = 0; /* See gsi_vioapic */
const struct hvm_vioapic *vioapic = gsi_vioapic(d, gsi, );
if ( !vioapic )
@@ -553,7 +569,7 @@ int vioapic_get_mask(const struct domain *d, unsigned int
gsi)
int vioapic_get_vector(const struct domain *d, unsigned int gsi)
{
-unsigned int pin;
+unsigned int pin = 0; /* See gsi_vioapic */
const struct hvm_vioapic *vioapic = gsi_vioapic(d, gsi, );
if ( !vioapic )
@@ -564,7 +580,7 @@ int vioapic_get_vector(const struct domain *d, unsigned int
gsi)
int vioapic_get_trigger_mode(const struct domain *d, unsigned int gsi)
{
-unsigned int pin;
+unsigned int pin = 0; /* See gsi_vioapic */
const struct hvm_vioapic *vioapic = gsi_vioapic(d, gsi, );
if ( !vioapic )
--
2.7.4
Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrer: Christian Schlaeger, Ralf Herbrich
Ust-ID: DE 289 237 879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
___
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
