From: Jan Beulich <jbeulich@suse.com>

Subject: xenoprof: limit consumption of shared buffer data

Since a shared buffer can be written to by the guest, we may only read

the head and tail pointers from there (all other fields should only ever

be written to). Furthermore, for any particular operation the two values

must be read exactly once, with both checks and consumption happening

with the thus read values. (The backtrace related xenoprof_buf_space()

use in xenoprof_log_event() is an exception: The values used there get

re-checked by every subsequent xenoprof_add_sample().)

Since that code needed touching, also fix the double increment of the

lost samples count in case the backtrace related xenoprof_add_sample()

invocation in xenoprof_log_event() fails.

Where code is being touched anyway, add const as appropriate, but take

the opportunity to entirely drop the now unused domain parameter of

xenoprof_buf_space().

This is part of XSA-313.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>

Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: George Dunlap <george.dunlap@citrix.com>

Reviewed-by: Wei Liu <wl@xen.org>

--- a/xen/common/xenoprof.c

+++ b/xen/common/xenoprof.c

@@ -479,25 +479,22 @@ static int add_passive_list(XEN_GUEST_HA

 /* Get space in the buffer */

-static int xenoprof_buf_space(struct domain *d, xenoprof_buf_t * buf, int size)

+static int xenoprof_buf_space(int head, int tail, int size)

 {

-    int head, tail;

-

-    head = xenoprof_buf(d, buf, event_head);

-    tail = xenoprof_buf(d, buf, event_tail);

-

     return ((tail > head) ? 0 : size) + tail - head - 1;

 }

 /* Check for space and add a sample. Return 1 if successful, 0 otherwise. */

-static int xenoprof_add_sample(struct domain *d, xenoprof_buf_t *buf,

+static int xenoprof_add_sample(const struct domain *d,

+                               const struct xenoprof_vcpu *v,

                                uint64_t eip, int mode, int event)

 {

+    xenoprof_buf_t *buf = v->buffer;

     int head, tail, size;

     head = xenoprof_buf(d, buf, event_head);

     tail = xenoprof_buf(d, buf, event_tail);

-    size = xenoprof_buf(d, buf, event_size);

+    size = v->event_size;

     /* make sure indexes in shared buffer are sane */

     if ( (head < 0) || (head >= size) || (tail < 0) || (tail >= size) )

@@ -506,7 +503,7 @@ static int xenoprof_add_sample(struct do

         return 0;

     }

-    if ( xenoprof_buf_space(d, buf, size) > 0 )

+    if ( xenoprof_buf_space(head, tail, size) > 0 )

     {

         xenoprof_buf(d, buf, event_log[head].eip) = eip;

         xenoprof_buf(d, buf, event_log[head].mode) = mode;

@@ -530,7 +527,6 @@ static int xenoprof_add_sample(struct do

 int xenoprof_add_trace(struct vcpu *vcpu, uint64_t pc, int mode)

 {

     struct domain *d = vcpu->domain;

-    xenoprof_buf_t *buf = d->xenoprof->vcpu[vcpu->vcpu_id].buffer;

     /* Do not accidentally write an escape code due to a broken frame. */

     if ( pc == XENOPROF_ESCAPE_CODE )

@@ -539,7 +535,8 @@ int xenoprof_add_trace(struct vcpu *vcpu

         return 0;

     }

-    return xenoprof_add_sample(d, buf, pc, mode, 0);

+    return xenoprof_add_sample(d, &d->xenoprof->vcpu[vcpu->vcpu_id],

+                               pc, mode, 0);

 }

 void xenoprof_log_event(struct vcpu *vcpu, const struct cpu_user_regs *regs,

@@ -570,17 +567,22 @@ void xenoprof_log_event(struct vcpu *vcp

     /* Provide backtrace if requested. */

     if ( backtrace_depth > 0 )

     {

-        if ( (xenoprof_buf_space(d, buf, v->event_size) < 2) ||

-             !xenoprof_add_sample(d, buf, XENOPROF_ESCAPE_CODE, mode, 

-                                  XENOPROF_TRACE_BEGIN) )

+        if ( xenoprof_buf_space(xenoprof_buf(d, buf, event_head),

+                                xenoprof_buf(d, buf, event_tail),

+                                v->event_size) < 2 )

         {

             xenoprof_buf(d, buf, lost_samples)++;

             lost_samples++;

             return;

         }

+

+        /* xenoprof_add_sample() will increment lost_samples on failure */

+        if ( !xenoprof_add_sample(d, v, XENOPROF_ESCAPE_CODE, mode,

+                                  XENOPROF_TRACE_BEGIN) )

+            return;

     }

-    if ( xenoprof_add_sample(d, buf, pc, mode, event) )

+    if ( xenoprof_add_sample(d, v, pc, mode, event) )

     {

         if ( is_active(vcpu->domain) )

             active_samples++;

--- a/xen/include/xen/xenoprof.h

+++ b/xen/include/xen/xenoprof.h

@@ -61,12 +61,12 @@ struct xenoprof {

 #ifndef CONFIG_COMPAT

 #define XENOPROF_COMPAT(x) 0

-#define xenoprof_buf(d, b, field) ((b)->field)

+#define xenoprof_buf(d, b, field) ACCESS_ONCE((b)->field)

 #else

 #define XENOPROF_COMPAT(x) ((x)->is_compat)

-#define xenoprof_buf(d, b, field) (*(!(d)->xenoprof->is_compat ? \

-                                       &(b)->native.field : \

-                                       &(b)->compat.field))

+#define xenoprof_buf(d, b, field) ACCESS_ONCE(*(!(d)->xenoprof->is_compat \

+                                                ? &(b)->native.field \

+                                                : &(b)->compat.field))

 #endif

 struct domain;