From patchwork Tue Feb 18 16:56:17 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Grall X-Patchwork-Id: 24908 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-pa0-f70.google.com (mail-pa0-f70.google.com [209.85.220.70]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 292B5203BE for ; Tue, 18 Feb 2014 16:57:37 +0000 (UTC) Received: by mail-pa0-f70.google.com with SMTP id kq14sf41521705pab.5 for ; Tue, 18 Feb 2014 08:57:36 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:from:to:date:message-id:cc:subject :precedence:list-id:list-unsubscribe:list-post:list-help :list-subscribe:mime-version:sender:errors-to:x-original-sender :x-original-authentication-results:mailing-list:list-archive :content-type:content-transfer-encoding; bh=mQHuJXrygTNhmSOhuik9Lisx0DHsarjSOFgM7+Ucfc0=; b=K4+L5ih9M9rciXlCOLHzu1wc0Wq8PmTFKkTA2kfjtLJrefCcdK2xoCnLg0tVVsxQmR kTBnCSI3x8jiblAtXZ3s7NkzKkjtRlN9yCRJVS97v3GhHCoKTNjaz8xFuejTW7a1gJQC bK/J2gJIGvqrPp4I3ACd1CUR7xL5zrI26dycu0fz5fhNkv4lUt7JbQLEwDg7KnuRAVct HwW7defW2ZfJpTLCil+uRYlvAlTdEnNNOwVEXmx9V6Ec5tKKvoLiyLUcWVtsRqodLB66 OsUWlkANRQT8K++Rb3sFqGEHoe4jPV+Hk2sWLH7pV/uOvE0jK17rIL+i1IjmiegqnGvF Q3yA== X-Gm-Message-State: ALoCoQmChRx1MLWNAPMPRpAczHhrNkmYIch5v5CaxiWIfcQ5rB/YfRaGLEtrUxbYOuqu7734T7Ha X-Received: by 10.66.66.163 with SMTP id g3mr13314572pat.3.1392742656314; Tue, 18 Feb 2014 08:57:36 -0800 (PST) X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.22.139 with SMTP id 11ls1443341qgn.84.gmail; Tue, 18 Feb 2014 08:57:36 -0800 (PST) X-Received: by 10.220.106.7 with SMTP id v7mr2871406vco.46.1392742656182; Tue, 18 Feb 2014 08:57:36 -0800 (PST) Received: from mail-vc0-f180.google.com (mail-vc0-f180.google.com [209.85.220.180]) by mx.google.com with ESMTPS id eo4si5646735vdb.134.2014.02.18.08.57.36 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 18 Feb 2014 08:57:36 -0800 (PST) Received-SPF: neutral (google.com: 209.85.220.180 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.220.180; Received: by mail-vc0-f180.google.com with SMTP id ks9so12986010vcb.25 for ; Tue, 18 Feb 2014 08:57:36 -0800 (PST) X-Received: by 10.220.114.135 with SMTP id e7mr6125875vcq.39.1392742656071; Tue, 18 Feb 2014 08:57:36 -0800 (PST) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.220.174.196 with SMTP id u4csp231587vcz; Tue, 18 Feb 2014 08:57:35 -0800 (PST) X-Received: by 10.43.180.133 with SMTP id pe5mr1443333icc.71.1392742655417; Tue, 18 Feb 2014 08:57:35 -0800 (PST) Received: from lists.xen.org (lists.xen.org. [50.57.142.19]) by mx.google.com with ESMTPS id j1si18944456igx.67.2014.02.18.08.57.34 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 18 Feb 2014 08:57:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of xen-devel-bounces@lists.xen.org designates 50.57.142.19 as permitted sender) client-ip=50.57.142.19; Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WFny5-00071F-92; Tue, 18 Feb 2014 16:56:25 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WFny4-00070w-9B for xen-devel@lists.xenproject.org; Tue, 18 Feb 2014 16:56:24 +0000 Received: from [193.109.254.147:47499] by server-11.bemta-14.messagelabs.com id FE/44-24604-7B093035; Tue, 18 Feb 2014 16:56:23 +0000 X-Env-Sender: julien.grall@linaro.org X-Msg-Ref: server-4.tower-27.messagelabs.com!1392742582!1445861!1 X-Originating-IP: [209.85.215.178] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.9.16; banners=-,-,- X-VirusChecked: Checked Received: (qmail 6514 invoked from network); 18 Feb 2014 16:56:22 -0000 Received: from mail-ea0-f178.google.com (HELO mail-ea0-f178.google.com) (209.85.215.178) by server-4.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 18 Feb 2014 16:56:22 -0000 Received: by mail-ea0-f178.google.com with SMTP id a15so7967062eae.37 for ; Tue, 18 Feb 2014 08:56:22 -0800 (PST) X-Received: by 10.14.202.136 with SMTP id d8mr35093133eeo.46.1392742582141; Tue, 18 Feb 2014 08:56:22 -0800 (PST) Received: from belegaer.uk.xensource.com. ([185.25.64.249]) by mx.google.com with ESMTPSA id d9sm72189448eei.9.2014.02.18.08.56.20 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Feb 2014 08:56:21 -0800 (PST) From: Julien Grall To: xen-devel@lists.xenproject.org Date: Tue, 18 Feb 2014 16:56:17 +0000 Message-Id: <1392742577-3052-1-git-send-email-julien.grall@linaro.org> X-Mailer: git-send-email 1.7.10.4 Cc: stefano.stabellini@citrix.com, Julien Grall , tim@xen.org, ian.campbell@citrix.com, George Dunlap Subject: [Xen-devel] [PATCH v2] xen/arm: Correctly handle non-page aligned pointer in raw_copy_from_guest X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Post: , List-Help: , List-Subscribe: , MIME-Version: 1.0 Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: julien.grall@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.220.180 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 List-Archive: The current implementation of raw_copy_guest helper may lead to data corruption and sometimes Xen crash when the guest virtual address is not aligned to PAGE_SIZE. When the total length is higher than a page, the length to read is badly compute with min(len, (unsigned)(PAGE_SIZE - offset)) As the offset is only computed one time per function, if the start address was not aligned to PAGE_SIZE, we can end up in same iteration: - to read accross page boundary => xen crash - read the previous page => data corruption This issue can be resolved by setting offset to 0 at the end of the first iteration. Indeed, after it, the virtual guest address is always aligned to PAGE_SIZE. Signed-off-by: Julien Grall Cc: George Dunlap Acked-by: Ian Campbell --- This patch is a bug fix for Xen 4.4. Without this patch the data may be corrupted when Xen is copied data from the guest if the guest virtual address is not aligned to PAGE_SIZE. Sometimes it can also crash Xen. This function is used in numerous place in Xen. If it introduces another bug we can see quickly with small amount of data. Changes in v2: - Only raw_copy_from_guest is buggy, the other raw_copy_* helpers where safe because of the "offset = 0" at the end of the loop - Update commit message and title --- xen/arch/arm/guestcopy.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/xen/arch/arm/guestcopy.c b/xen/arch/arm/guestcopy.c index af0af6b..715bb4e 100644 --- a/xen/arch/arm/guestcopy.c +++ b/xen/arch/arm/guestcopy.c @@ -96,6 +96,11 @@ unsigned long raw_copy_from_guest(void *to, const void __user *from, unsigned le len -= size; from += size; to += size; + /* + * After the first iteration, guest virtual address is correctly + * aligned to PAGE_SIZE. + */ + offset = 0; } return 0; }