From: Norbert Manthey Date: Thu, 14 Mar 2019 12:56:00 +0000 (+0100) Subject: common/memory: block speculative out-of-bound accesses X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=dfdf4780487aeb3e983a1a23d5114246e55e8168;p=people%2Froyger%2Fxen.git common/memory: block speculative out-of-bound accesses The get_page_from_gfn method returns a pointer to a page that belongs to a gfn. Before returning the pointer, the gfn is checked for being valid. Under speculation, these checks can be bypassed, so that the function get_page is still executed partially. Consequently, the function page_get_owner_and_reference might be executed partially as well. In this function, the computed pointer is accessed, resulting in a speculative out-of-bound address load. As the gfn can be controlled by a guest, this access is problematic. To mitigate the root cause, an lfence instruction is added via the evaluate_nospec macro. To make the protection generic, we do not introduce the lfence instruction for this single check, but add it to the mfn_valid function. This way, other potentially problematic accesses are protected as well. This is part of the speculative hardening effort. Signed-off-by: Norbert Manthey Acked-by: Jan Beulich --- diff --git a/xen/common/pdx.c b/xen/common/pdx.c index 1a2100c9d9..50c21b6bf8 100644 --- a/xen/common/pdx.c +++ b/xen/common/pdx.c @@ -18,6 +18,7 @@ #include #include #include +#include /* Parameters for PFN/MADDR compression. */ unsigned long __read_mostly max_pdx; @@ -33,8 +34,9 @@ unsigned long __read_mostly pdx_group_valid[BITS_TO_LONGS( bool __mfn_valid(unsigned long mfn) { - return likely(mfn < max_page) && - likely(!(mfn & pfn_hole_mask)) && + if ( unlikely(evaluate_nospec(mfn >= max_page)) ) + return false; + return likely(!(mfn & pfn_hole_mask)) && likely(test_bit(pfn_to_pdx(mfn) / PDX_GROUP_COUNT, pdx_group_valid)); }