From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CEF77C48BDF for ; Tue, 15 Jun 2021 12:15:40 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D27BD61441 for ; Tue, 15 Jun 2021 12:15:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D27BD61441 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=eldorado.org.br Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:40334 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lt7yk-0008J4-Gg for qemu-devel@archiver.kernel.org; Tue, 15 Jun 2021 08:15:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39742) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lt7wI-0007MO-Dm; Tue, 15 Jun 2021 08:13:06 -0400 Received: from [201.28.113.2] (port=31576 helo=outlook.eldorado.org.br) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lt7wG-0008C5-5h; Tue, 15 Jun 2021 08:13:06 -0400 Received: from power9a ([10.10.71.235]) by outlook.eldorado.org.br with Microsoft SMTPSVC(8.5.9600.16384); Tue, 15 Jun 2021 09:13:00 -0300 Received: from [127.0.0.1] (unknown [10.10.71.235]) by power9a (Postfix) with ESMTPS id 0055F800144; Tue, 15 Jun 2021 09:12:59 -0300 (-03) Subject: Re: [RFC PATCH v2 2/2] target/ppc: make gdb able to translate priviledged addresses To: =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= , qemu-devel@nongnu.org References: <20210614191630.101304-1-bruno.larsen@eldorado.org.br> <20210614191630.101304-2-bruno.larsen@eldorado.org.br> From: Bruno Piazera Larsen Message-ID: <2013bf68-5da2-b0f7-4dd5-e3d5271e5e52@eldorado.org.br> Date: Tue, 15 Jun 2021 09:12:59 -0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------884DB66A96144A46D10E6440" Content-Language: en-US X-OriginalArrivalTime: 15 Jun 2021 12:13:00.0369 (UTC) FILETIME=[C8B5FC10:01D761DF] X-Host-Lookup-Failed: Reverse DNS lookup failed for 201.28.113.2 (failed) Received-SPF: pass client-ip=201.28.113.2; envelope-from=bruno.larsen@eldorado.org.br; helo=outlook.eldorado.org.br X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.095, PDS_HP_HELO_NORDNS=0.308, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: farosas@linux.ibm.com, richard.henderson@linaro.org, luis.pires@eldorado.org.br, Greg Kurz , lucas.araujo@eldorado.org.br, fernando.valle@eldorado.org.br, qemu-ppc@nongnu.org, Miroslav Rezanina , matheus.ferst@eldorado.org.br, david@gibson.dropbear.id.au Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" This is a multi-part message in MIME format. --------------884DB66A96144A46D10E6440 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit On 14/06/2021 16:37, Philippe Mathieu-Daudé wrote: > On 6/14/21 9:16 PM, Bruno Larsen (billionai) wrote: >> This patch changes ppc_cpu_get_phys_page_debug so that it is now >> able to translate both, priviledged and real mode addresses >> independently of whether the CPU executing it has those permissions >> >> This was mentioned by Fabiano as something that would be very useful to >> help with debugging, but could possibly constitute a security issue if >> that debug function can be called in some way by prodution code. the >> solution was implemented such that it would be trivial to wrap it around >> ifdefs for building only with --enable-debug, for instance, but we are >> not sure this is the best approach, hence why it is an RFC. >> >> Suggested-by: Fabiano Rosas >> Signed-off-by: Bruno Larsen (billionai) >> --- >> target/ppc/mmu_helper.c | 23 +++++++++++++++++++++++ >> 1 file changed, 23 insertions(+) >> >> diff --git a/target/ppc/mmu_helper.c b/target/ppc/mmu_helper.c >> index 9dcdf88597..41c727c690 100644 >> --- a/target/ppc/mmu_helper.c >> +++ b/target/ppc/mmu_helper.c >> @@ -2947,6 +2947,29 @@ hwaddr ppc_cpu_get_phys_page_debug(CPUState *cs, vaddr addr) >> cpu_mmu_index(&cpu->env, true), false)) { >> return raddr & TARGET_PAGE_MASK; >> } >> + >> + /* >> + * This is a fallback, in case we're asking for priviledged memory to >> + * be printed, but the PCU is not executing in a priviledged manner. >> + * >> + * The code could be considered a security vulnerability if >> + * this function can be called in a scenario that does not involve >> + * debugging. >> + * Given the name and how useful using real addresses may be for >> + * actually debugging, however, we decided to include it anyway and >> + * discuss how to best avoid the possible security concerns. >> + * The current plan is that, if there is a chance this code is called in >> + * a production environment, we can surround it with ifdefs so that it >> + * is only compiled with --enable-debug > Nothing forbid us to use --enable-debug in a production environment. True, but in general, running a debug build is considered a path to vulnerabilities one would consider to be avoidable. Also, I am not sure of a much better way to help devs that use QEMU without opening up to these kinds of info-leak vulnerabilities, since it's literally what we want the code to do. Having it require source code manipulation, like DO_CPU_STATISTICS did, could work, but it could also bit rot quickly. Definitely open to more discussion on the topic! :) > >> + */ >> + /* attempt to translate first with virtual addresses */ >> + if (ppc_xlate(cpu, addr, MMU_DATA_LOAD, &raddr, &s, &p, 1, false) || >> + ppc_xlate(cpu, addr, MMU_INST_FETCH, &raddr, &s, &p, 1, false) || >> + /* if didn't work, attempt to translate with real addresses */ >> + ppc_xlate(cpu, addr, MMU_DATA_LOAD, &raddr, &s, &p, 3, false) || >> + ppc_xlate(cpu, addr, MMU_INST_FETCH, &raddr, &s, &p, 3, false)) { >> + return raddr & TARGET_PAGE_MASK; >> + } >> return -1; >> } >> >> -- Bruno Piazera Larsen Instituto de Pesquisas ELDORADO Departamento Computação Embarcada Analista de Software Trainee Aviso Legal - Disclaimer --------------884DB66A96144A46D10E6440 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit


On 14/06/2021 16:37, Philippe Mathieu-Daudé wrote:
On 6/14/21 9:16 PM, Bruno Larsen (billionai) wrote:

This patch changes ppc_cpu_get_phys_page_debug so that it is now
able to translate both, priviledged and real mode addresses
independently of whether the CPU executing it has those permissions

This was mentioned by Fabiano as something that would be very useful to
help with debugging, but could possibly constitute a security issue if
that debug function can be called in some way by prodution code. the
solution was implemented such that it would be trivial to wrap it around
ifdefs for building only with --enable-debug, for instance, but we are
not sure this is the best approach, hence why it is an RFC.

Suggested-by: Fabiano Rosas <farosas@linux.ibm.com>
Signed-off-by: Bruno Larsen (billionai) <bruno.larsen@eldorado.org.br>
---
 target/ppc/mmu_helper.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/target/ppc/mmu_helper.c b/target/ppc/mmu_helper.c
index 9dcdf88597..41c727c690 100644
--- a/target/ppc/mmu_helper.c
+++ b/target/ppc/mmu_helper.c
@@ -2947,6 +2947,29 @@ hwaddr ppc_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
                   cpu_mmu_index(&cpu->env, true), false)) {
         return raddr & TARGET_PAGE_MASK;
     }
+
+    /*
+     * This is a fallback, in case we're asking for priviledged memory to
+     * be printed, but the PCU is not executing in a priviledged manner.
+     *
+     * The code could be considered a security vulnerability if
+     * this function can be called in a scenario that does not involve
+     * debugging.
+     * Given the name and how useful using real addresses may be for
+     * actually debugging, however, we decided to include it anyway and
+     * discuss how to best avoid the possible security concerns.
+     * The current plan is that, if there is a chance this code is called in
+     * a production environment, we can surround it with ifdefs so that it
+     * is only compiled with --enable-debug

Nothing forbid us to use --enable-debug in a production environment.

True, but in general, running a debug build is considered a path to vulnerabilities one would consider to be avoidable. Also, I am not sure of a much better way to help devs that use QEMU without opening up to these kinds of info-leak vulnerabilities, since it's literally what we want the code to do.

Having it require source code manipulation, like DO_CPU_STATISTICS did, could work, but it could also bit rot quickly.

Definitely open to more discussion on the topic! :)



+     */
+        /* attempt to translate first with virtual addresses */
+    if (ppc_xlate(cpu, addr, MMU_DATA_LOAD, &raddr, &s, &p, 1, false) ||
+        ppc_xlate(cpu, addr, MMU_INST_FETCH, &raddr, &s, &p, 1, false) ||
+        /* if didn't work, attempt to translate with real addresses */
+        ppc_xlate(cpu, addr, MMU_DATA_LOAD, &raddr, &s, &p, 3, false) ||
+        ppc_xlate(cpu, addr, MMU_INST_FETCH, &raddr, &s, &p, 3, false)) {
+        return raddr & TARGET_PAGE_MASK;
+    }
     return -1;
 }
 



    

    
-- 

      Bruno Piazera Larsen

      Instituto
        de Pesquisas ELDORADO

      Departamento Computação Embarcada

      Analista de Software Trainee

      Aviso Legal
        - Disclaimer

  


--------------884DB66A96144A46D10E6440--