Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3776268ybi; Fri, 5 Jul 2019 13:49:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqz7W9j9Qowbtbpb9+8J6S3Cdg4fv5dekR9lyrV+ss3k+gDAN/iAj8uHZGs3oNvFTAXtnBEB X-Received: by 2002:a63:4d05:: with SMTP id a5mr7038748pgb.19.1562359760345; Fri, 05 Jul 2019 13:49:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562359760; cv=none; d=google.com; s=arc-20160816; b=EZDiGWt4KVFsYkfZwJd/l4mVcDSW3B+9BgT+ck+T7jBvdyrJTl/K7mCbBTMT2pRaR7 B4Z3pwO++Wn+DVqurFueBbrnMKOLU9HppkFjFkPOtMSa8ejsSrcnBNfAwS3YLE35uxH1 DxZaKh0r6sHR6+zsWmV1Vo9dFq5EszkuM/E/BiUTO7aa0mXmqHNyfmOirNH8tXl6anHe 4dIW0WZUswxCHKNVjcUmS8NBVLmROLQr9DMQlanEusgCoX+xYegw+nkqvQeAUEI/l5H1 m7DIw6v3YXF1BqQ0Q86jOQ8j1KH9D7adrBdsXnSmAZ1ljN6b6IF//Nb2NC6AMKKFBBo9 th0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:openpgp:from:references:cc:to:subject :ironport-sdr; bh=4xtBpJ+xrjh6bG9nFyqqV9CbjxKkD8ZIQV3lYLOngOk=; b=O6ndxbUc312k2F+o+f/cb3HnBprnZY7mshbvxFHa846XZO0QMCdmJxz9g6PukbrzkZ x00VkGUHzU8F0+ERKJJpUUlSstwTkRNSln3XR3uAozDrrdrNpAmSLIcIVaAlsHhczoRQ D1p14ncLAXeJ0/M6AoQ3K1II4uafoVHV6A0r3P6KwJppGPOjL1NzuXMUrI61xUqjMZ2V MH5Ka9fUXuN0d7e/gkdUl05rxtFT8Lgunvyn4SJ1YHBscR/Iy7jFzwC9xUsZ5CXjB1a7 HOm+fXnkWr7wcOlNF0aAQkG7LqFaUtW74ChiKzA8KE9eJ1wdmhkEsBGlDihRGIkSEAYT Gg/Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 19si9680209pga.554.2019.07.05.13.49.05; Fri, 05 Jul 2019 13:49:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728274AbfGEUrQ (ORCPT + 99 others); Fri, 5 Jul 2019 16:47:16 -0400 Received: from esa5.hc3370-68.iphmx.com ([216.71.155.168]:9749 "EHLO esa5.hc3370-68.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727983AbfGEUrN (ORCPT ); Fri, 5 Jul 2019 16:47:13 -0400 Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=andrew.cooper3@citrix.com; spf=Pass smtp.mailfrom=Andrew.Cooper3@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of andrew.cooper3@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="andrew.cooper3@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa5.hc3370-68.iphmx.com: domain of Andrew.Cooper3@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="Andrew.Cooper3@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa5.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa5.hc3370-68.iphmx.com; envelope-from="Andrew.Cooper3@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: RF54UiNQoJAo/T7FHOXewtZzFblpeyyK9aWIzQr9yHrbxvl2kp+SUO4nmcuyo1n692r6mAP29z 3HNbfHFydWjwQI1WHQPLwQH/GrEomPjUBHd+eWE4e/jwuydz701CWkE/wzCF94VzCVrcFOGJX7 F3ZTFJtJl5Ej0VvDjhzWGLTIVl6OvA+qqHawA3fZwcw5mI1lfx8L1Q6LWBI2HnGOGhuQqotP2z RIPYuDUh6NRpyPlP7coe2ea5XIMnDRreoXQ9KFIrUF/ZolDmn9XPaoic3rk5+XjFfc4OuFpStS lfc= X-SBRS: 2.7 X-MesageID: 2668409 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.63,456,1557201600"; d="scan'208";a="2668409" Subject: Re: [patch V2 04/25] x86/apic: Make apic_pending_intr_clear() more robust To: Nadav Amit CC: Thomas Gleixner , LKML , "x86@kernel.org" , Ricardo Neri , Stephane Eranian , Feng Tang , Andy Lutomirski , Andrew Cooper References: <20190704155145.617706117@linutronix.de> <20190704155608.636478018@linutronix.de> <958a67c2-4dc0-52e6-43b2-1ebd25a59232@citrix.com> <66E585C6-468E-4EFD-931C-47BFF5E104EB@vmware.com> From: Andrew Cooper Openpgp: preference=signencrypt Autocrypt: addr=andrew.cooper3@citrix.com; prefer-encrypt=mutual; keydata= mQINBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABtClBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPokCOgQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86LkCDQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAYkC HwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA== Message-ID: Date: Fri, 5 Jul 2019 21:47:09 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <66E585C6-468E-4EFD-931C-47BFF5E104EB@vmware.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Content-Language: en-GB X-ClientProxiedBy: AMSPEX02CAS02.citrite.net (10.69.22.113) To AMSPEX02CL02.citrite.net (10.69.22.126) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/07/2019 20:19, Nadav Amit wrote: >> On Jul 5, 2019, at 8:47 AM, Andrew Cooper wrote: >> >> On 04/07/2019 16:51, Thomas Gleixner wrote: >>> 2) The loop termination logic is interesting at best. >>> >>> If the machine has no TSC or cpu_khz is not known yet it tries 1 >>> million times to ack stale IRR/ISR bits. What? >>> >>> With TSC it uses the TSC to calculate the loop termination. It takes a >>> timestamp at entry and terminates the loop when: >>> >>> (rdtsc() - start_timestamp) >= (cpu_hkz << 10) >>> >>> That's roughly one second. >>> >>> Both methods are problematic. The APIC has 256 vectors, which means >>> that in theory max. 256 IRR/ISR bits can be set. In practice this is >>> impossible as the first 32 vectors are reserved and not affected and >>> the chance that more than a few bits are set is close to zero. >> [Disclaimer. I talked to Thomas in private first, and he asked me to >> post this publicly as the CVE is almost a decade old already.] >> >> I'm afraid that this isn't quite true. >> >> In terms of IDT vectors, the first 32 are reserved for exceptions, but >> only the first 16 are reserved in the LAPIC. Vectors 16-31 are fair >> game for incoming IPIs (SDM Vol3, 10.5.2 Valid Interrupt Vectors). >> >> In practice, this makes Linux vulnerable to CVE-2011-1898 / XSA-3, which >> I'm disappointed to see wasn't shared with other software vendors at the >> time. > IIRC (and from skimming the CVE again) the basic problem in Xen was that > MSIs can be used when devices are assigned to generate IRQs with arbitrary > vectors. The mitigation was to require interrupt remapping to be enabled in > the IOMMU when IOMMU is used for DMA remapping (i.e., device assignment). > > Are you concerned about this case, additional concrete ones, or is it about > security hardening? (or am I missing something?) The phrase "impossible as the first 32 vectors are reserved" stuck out, because its not true.  That generally means that any logic derived from it is also false. :) In practice, I was thinking more about robustness against buggy conditions.  Setting TPR to 1 at start of day is very easy.  Some of the other protections, less so. When it comes to virtualisation, security is an illusion when a guest kernel has a real piece of hardware in its hands.  Anyone who is under the misapprehension otherwise should try talking to a IOMMU hardware engineer and see the reaction on their face.  IOMMUs were designed to isolate devices when all controlling software was of the same privilege level.  They don't magically make the system safe against a hostile guest device driver, which in the most basic case, can still mount a DoS attempt with deliberately bad DMA. ~Andrew