From nobody Thu May 9 05:04:38 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1706650063; cv=none; d=zohomail.com; s=zohoarc; b=lbYIzKPjtHLiF6dje1XqxVPgIE4k9xfQsDGW/ReSO1W/4RdkgIz8hv9dcD1z5CK3Cc4Y1MIQz2DVrs3ghdh5EeX2H3z4F4RPTtHRlBSV1xpGtrdNrq2RwL9qVyWBM5KxNJVHNU7F1gcKVIGBViP6BDYL3I18K4sll2Srq6cq4kw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1706650063; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=CPvrufMJZejj9ap9bDESTma7DF/5+aP52WMbLWuEeEE=; b=ehvN2ROQlIoZ2bKgXf8BBx8gf6Crit3ndd5Aa9Od4LPCJ1nPCgukqyfQh+boS0yot713a/y5lI9ObgOHya0WTt4RJvz44RlqxKy4eWI20tyZ8xs7qaybK/bvXeEOhCC2Q1HRysVkBLn6Nff8gMQw2AiWHb4/z3ryCUx/DKCOWSQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1706650063088601.7572121258986; Tue, 30 Jan 2024 13:27:43 -0800 (PST) Received: from list by lists.xenproject.org with outflank-mailman.673690.1048125 (Exim 4.92) (envelope-from ) id 1rUvdT-0001ep-Ji; Tue, 30 Jan 2024 21:27:15 +0000 Received: by outflank-mailman (output) from mailman id 673690.1048125; Tue, 30 Jan 2024 21:27:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rUvdT-0001ei-Gd; Tue, 30 Jan 2024 21:27:15 +0000 Received: by outflank-mailman (input) for mailman id 673690; Tue, 30 Jan 2024 21:27:14 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rUvdS-0001ea-2p for xen-devel@lists.xenproject.org; Tue, 30 Jan 2024 21:27:14 +0000 Received: from esa1.hc3370-68.iphmx.com (esa1.hc3370-68.iphmx.com [216.71.145.142]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 52f8477b-bfb6-11ee-8a43-1f161083a0e0; Tue, 30 Jan 2024 22:27:11 +0100 (CET) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 52f8477b-bfb6-11ee-8a43-1f161083a0e0 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=citrix.com; s=securemail; t=1706650031; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=8y0bRSy0+N/o2vbhG8udrGq58MblxfpHPx6TknWZBpE=; b=dJHfP8GlZA6/DnU+qfXceJZ1gN+AsDliVziE9gOWzyWHwUT7tST1EyDg NYIv+qcEH5x/p5LhlLoMhbLILqXpzYl3zjWX4KOKGZy6nlj0zaYmIhFOH fBJK41nt9pQsnZkgDrfJyxJc6GSkHsTGPynMpuq4q9dgkOkFtxbugXGTI Q=; X-CSE-ConnectionGUID: KQ4cbhfqRrSN6M/d6A1Y/Q== X-CSE-MsgGUID: apOJKLZQTQSLxtle0/aegA== Authentication-Results: esa1.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none X-SBRS: 4.0 X-MesageID: 130226928 X-Ironport-Server: esa1.hc3370-68.iphmx.com X-Remote-IP: 162.221.159.70 X-Policy: $RELAYED X-ThreatScanner-Verdict: Negative IronPort-Data: A9a23:dg8OEatce/cKYMngfwnTtSUcYefnVC1eMUV32f8akzHdYApBsoF/q tZmKWrVaauJZTajfth+bYu/pEkPsJ7cytE3HFE4r31mHy4b+JbJXdiXEBz9bniYRiHhoOCLz O1FM4Wdc5pkJpP4jk3wWlQ0hSAkjclkfpKlVaicfHg3HFc4IMsYoUoLs/YjhYJ1isSODQqIu Nfjy+XSI1bg0DNvWo4uw/vrRChH4rKq5Vv0gnRkPaoX5AaFzyFPZH4iDfrZw0XQE9E88tGSH 44v/JnhlkvF8hEkDM+Sk7qTWiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JFAatjsB2bnsgZ9 Tl4ncfYpTHFnEH7sL91vxFwS0mSNEDdkVPNCSDXXce7lyUqf5ZwqhnH4Y5f0YAwo45K7W9yG fMwCwlRZRqDifuM2omdFMwripoKdfisBdZK0p1g5Wmx4fcORJnCR+PB5MNC3Sd2jcdLdRrcT 5NHM3w1Nk2GOkAefAhPYH49tL7Aan3XWjtUsl+K44Ew5HDe1ldZ27nxKtvFPNeNQK25m27B/ TqcpTqoWEFy2Nq3wCKi0FGItNbzpBjfSJ4WGeX///NlqQjGroAUIEJPDgbqyRWjsWauVtQaJ 0EK9y4Gqakp6FftXtT7Rwe/onOPolgbQdU4O/Ez7QiW4rbX5wufCXkJSnhKb9lOnO0cSCEu1 1SJt8j0HjEpu7qQIVqG7audpz62PSkTLEcBaDUCQA9D5MPsyKksijrfQ9AlF7S65vX3BDXxz jaivCU4wbIJgqY2O76TpA6dxWj2/96QE19zuV2/sn+ZAh1RR7f5bIao50Hh981mcqPeQgeo5 UlDop3LhAwRNq1hhBBhUc1UQ+n3ua/UYWKA6WODCaXN4NhExpJCQWyzyGsnTKuRGpxYEQIFm WeK0e+r2LddPWGxcYh8aJ+rBsIhwMDITIu9CK6INoIVPMQpKmdrGR2CgmbJgQjQfLUEy/lja f93j+7yZZrlNUiX5GXvHLpMuVPa7is/2XnSVfjG8vhT6pLHPCT9Ye5cYDOzghURsPvsTPP9r 4wOaKNnCnx3DIXDX8Ug2dVOcQhVfCJnXMCeRg4+XrfrHzeK0VoJU5f5qY7NsaQ890iJvo8kJ k2AZ3I= IronPort-HdrOrdr: A9a23:3zu1oazKIrJCmTgXm5Q8KrPwIL1zdoMgy1knxilNoRw8SKKlfq eV7ZAmPH7P+VAssR4b+exoVJPtfZq+z+8R3WByB8bAYOCOggLBR+sO0WKL+UyGJ8SUzI9gPM lbHJSWcOeAb2RHsQ== X-Talos-CUID: 9a23:myqF2G4MyPKkP7wWutss13dIEcolfGTn1kz2fWr/BThAEYzScArF X-Talos-MUID: =?us-ascii?q?9a23=3Aob/xeAzwSNpeV0KCbHqk2wovw/qaqK22L2Iutac?= =?us-ascii?q?/h/C/ETxsPzrFyz26TaZyfw=3D=3D?= X-IronPort-AV: E=Sophos;i="6.05,230,1701147600"; d="scan'208";a="130226928" From: Andrew Cooper To: Xen-devel CC: Andrew Cooper , Tamas K Lengyel , George Dunlap , Jan Beulich , Stefano Stabellini , Wei Liu , Julien Grall Subject: [PATCH] xen/sched: Fix UB shift in compat_set_timer_op() Date: Tue, 30 Jan 2024 21:27:05 +0000 Message-ID: <20240130212706.74303-1-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1706650064247100001 Content-Type: text/plain; charset="utf-8" Tamas reported this UBSAN failure from fuzzing: (XEN) =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D (XEN) UBSAN: Undefined behaviour in common/sched/compat.c:48:37 (XEN) left shift of negative value -2147425536 (XEN) ----[ Xen-4.19-unstable x86_64 debug=3Dy ubsan=3Dy Not tainted ]= ---- ... (XEN) Xen call trace: (XEN) [] R ubsan.c#ubsan_epilogue+0xa/0xd9 (XEN) [] F __ubsan_handle_shift_out_of_bounds+0x11a/= 0x1c5 (XEN) [] F compat_set_timer_op+0x41/0x43 (XEN) [] F hvm_do_multicall_call+0x77f/0xa75 (XEN) [] F arch_do_multicall_call+0xec/0xf1 (XEN) [] F do_multicall+0x1dc/0xde3 (XEN) [] F hvm_hypercall+0xa00/0x149a (XEN) [] F vmx_vmexit_handler+0x1596/0x279c (XEN) [] F vmx_asm_vmexit_handler+0xdb/0x200 Left-shifting any negative value is strictly undefined behaviour in C, and the two parameters here come straight from the guest. The fuzzer happened to choose lo 0xf, hi 0x8000e300. Switch everything to be unsigned values, making the shift well defined. As GCC documents: As an extension to the C language, GCC does not use the latitude given in C99 and C11 only to treat certain aspects of signed '<<' as undefined. However, -fsanitize=3Dshift (and -fsanitize=3Dundefined) will diagnose su= ch cases. this was deemed not to need an XSA. Fixes: 2942f45e09fb ("Enable compatibility mode operation for HYPERVISOR_sc= hed_op and HYPERVISOR_set_timer_op.") Reported-by: Tamas K Lengyel Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: George Dunlap CC: Jan Beulich CC: Stefano Stabellini CC: Wei Liu CC: Julien Grall --- xen/common/sched/compat.c | 4 ++-- xen/include/hypercall-defs.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/sched/compat.c b/xen/common/sched/compat.c index d718e450d40b..dd97593630ee 100644 --- a/xen/common/sched/compat.c +++ b/xen/common/sched/compat.c @@ -43,9 +43,9 @@ static int compat_poll(struct compat_sched_poll *compat) =20 #include "core.c" =20 -int compat_set_timer_op(uint32_t lo, int32_t hi) +int compat_set_timer_op(uint32_t lo, uint32_t hi) { - return do_set_timer_op(((s64)hi << 32) | lo); + return do_set_timer_op(((uint64_t)hi << 32) | lo); } =20 #endif /* __COMMON_SCHED_COMPAT_C__ */ diff --git a/xen/include/hypercall-defs.c b/xen/include/hypercall-defs.c index 6d361ddfce1b..47c093acc84d 100644 --- a/xen/include/hypercall-defs.c +++ b/xen/include/hypercall-defs.c @@ -134,7 +134,7 @@ xenoprof_op(int op, void *arg) =20 #ifdef CONFIG_COMPAT prefix: compat -set_timer_op(uint32_t lo, int32_t hi) +set_timer_op(uint32_t lo, uint32_t hi) multicall(multicall_entry_compat_t *call_list, uint32_t nr_calls) memory_op(unsigned int cmd, void *arg) #ifdef CONFIG_IOREQ_SERVER base-commit: cc6ba68edf6dcd18c3865e7d7c0f1ed822796426 prerequisite-patch-id: de9234b4d0488be5b3be5e2ec23e85789086debc --=20 2.30.2