Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
xen.25150
xsa401-2.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa401-2.patch of Package xen.25150
From: Andrew Cooper <andrew.cooper3@citrix.com> Subject: x86/pv: Fix ABAC cmpxchg() race in _get_page_type() _get_page_type() suffers from a race condition where it incorrectly assumes that because 'x' was read and a subsequent a cmpxchg() succeeds, the type cannot have changed in-between. Consider: CPU A: 1. Creates an L2e referencing pg `-> _get_page_type(pg, PGT_l1_page_table), sees count 0, type PGT_writable_page 2. Issues flush_tlb_mask() CPU B: 3. Creates a writeable mapping of pg `-> _get_page_type(pg, PGT_writable_page), count increases to 1 4. Writes into new mapping, creating a TLB entry for pg 5. Removes the writeable mapping of pg `-> _put_page_type(pg), count goes back down to 0 CPU A: 7. Issues cmpxchg(), setting count 1, type PGT_l1_page_table CPU B now has a writeable mapping to pg, which Xen believes is a pagetable and suitably protected (i.e. read-only). The TLB flush in step 2 must be deferred until after the guest is prohibited from creating new writeable mappings, which is after step 7. Defer all safety actions until after the cmpxchg() has successfully taken the intended typeref, because that is what prevents concurrent users from using the old type. Also remove the early validation for writeable and shared pages. This removes race conditions where one half of a parallel mapping attempt can return successfully before: * The IOMMU pagetables are in sync with the new page type * Writeable mappings to shared pages have been torn down This is part of XSA-401 / CVE-2022-26362. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Reviewed-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: George Dunlap <george.dunlap@citrix.com> --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -3037,46 +3037,12 @@ static int _get_page_type(struct page_in * Type changes are permitted when the typeref is 0. If the type * actually changes, the page needs re-validating. */ - struct domain *d = page_get_owner(page); - - if ( d && shadow_mode_enabled(d) ) - shadow_prepare_page_type_change(d, page, type); ASSERT(!(x & PGT_pae_xen_l2)); if ( (x & PGT_type_mask) != type ) { - /* - * On type change we check to flush stale TLB entries. It is - * vital that no other CPUs are left with writeable mappings - * to a frame which is intending to become pgtable/segdesc. - */ - cpumask_t *mask = this_cpu(scratch_cpumask); - - BUG_ON(in_irq()); - cpumask_copy(mask, d->dirty_cpumask); - - /* Don't flush if the timestamp is old enough */ - tlbflush_filter(mask, page->tlbflush_timestamp); - - if ( unlikely(!cpumask_empty(mask)) && - /* Shadow mode: track only writable pages. */ - (!shadow_mode_enabled(d) || - ((nx & PGT_type_mask) == PGT_writable_page)) ) - { - perfc_incr(need_flush_tlb_flush); - flush_tlb_mask(mask); - } - - /* We lose existing type and validity. */ nx &= ~(PGT_type_mask | PGT_validated); nx |= type; - - /* - * No special validation needed for writable pages. - * Page tables and GDT/LDT need to be scanned for validity. - */ - if ( type == PGT_writable_page || type == PGT_shared_page ) - nx |= PGT_validated; } } else if ( unlikely((x & (PGT_type_mask|PGT_pae_xen_l2)) != type) ) @@ -3158,6 +3124,46 @@ static int _get_page_type(struct page_in return -EINTR; } + /* + * One typeref has been taken and is now globally visible. + * + * The page is either in the "validate locked" state (PGT_[type] | 1) or + * fully validated (PGT_[type] | PGT_validated | >0). + */ + + if ( unlikely((x & PGT_count_mask) == 0) ) + { + struct domain *d = page_get_owner(page); + + if ( d && shadow_mode_enabled(d) ) + shadow_prepare_page_type_change(d, page, type); + + if ( (x & PGT_type_mask) != type ) + { + /* + * On type change we check to flush stale TLB entries. It is + * vital that no other CPUs are left with writeable mappings + * to a frame which is intending to become pgtable/segdesc. + */ + cpumask_t *mask = this_cpu(scratch_cpumask); + + BUG_ON(in_irq()); + cpumask_copy(mask, d->dirty_cpumask); + + /* Don't flush if the timestamp is old enough */ + tlbflush_filter(mask, page->tlbflush_timestamp); + + if ( unlikely(!cpumask_empty(mask)) && + /* Shadow mode: track only writable pages. */ + (!shadow_mode_enabled(d) || + ((nx & PGT_type_mask) == PGT_writable_page)) ) + { + perfc_incr(need_flush_tlb_flush); + flush_tlb_mask(mask); + } + } + } + if ( unlikely((x & PGT_type_mask) != type) ) { /* Special pages should not be accessible from devices. */ @@ -3186,13 +3192,25 @@ static int _get_page_type(struct page_in if ( unlikely(!(nx & PGT_validated)) ) { - if ( !(x & PGT_partial) ) + /* + * No special validation needed for writable or shared pages. Page + * tables and GDT/LDT need to have their contents audited. + * + * per validate_page(), non-atomic updates are fine here. + */ + if ( type == PGT_writable_page || type == PGT_shared_page ) + page->u.inuse.type_info |= PGT_validated; + else { - page->nr_validated_ptes = 0; - page->partial_flags = 0; - page->linear_pt_count = 0; + if ( !(x & PGT_partial) ) + { + page->nr_validated_ptes = 0; + page->partial_flags = 0; + page->linear_pt_count = 0; + } + + rc = alloc_page_type(page, type, preemptible); } - rc = alloc_page_type(page, type, preemptible); } out:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor