[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 05/11] tmem: don't access guest memory without using the accessors intended for this



>>> On 06.09.12 at 17:44, Dan Magenheimer <dan.magenheimer@xxxxxxxxxx> wrote:
>> > I'm a bit baffled by all the unrelated changes and cleanups, but
>> > they all appear to be valid fixes and, most importantly, the
>> > related security issues appear to be resolved.
>> 
>> Having gone through the patch once more, I'd be really
>> curious where you spotted unrelated changes (apart from
>> e.g. adding proper white space use on lines that needed
>> changing anyway).
>> 
>> With the size of the patch, and with this one having been
>> done when we still thought we would issue the patches
>> together with the advisory, I would really hope not to be
>> caught to have done unnecessary changes here (while
>> still preserving generic style of the code, see below).
> 
> Again, I am not criticizing the end result or any part of
> the patch, just noting that some of it _could_ have been
> separated to a different patch, which would have made it
> _much_ more obvious what was the core fix for the security issue.
> No need to reiterate your reasons, I'm only providing more
> detail here because it sounds as if you are asking sincerely,
> not defensively.

With the below, I'm afraid you didn't review the patch
properly, or am still having problems understanding the
security aspects here.

> - changing NULL to tmh_cli_buf_null

The latter is not a simple #define of NULL.

> - changing parameter void *cva to tmem_cli_va_t clibuf,
>   which results in

Similarly, tmem_cli_va_t is not an equivalent of "void *".

>   - changing all lines that use that that parameter
>    which gave you the license to

Preserving the name of the parameter was just calling for
overlooking things. Hence, with the type change I also
changed the name (and where necessary introduced new
local variables with the old type and name, serving the
original purpose).

>    - cleanup the whitespace in all those lines

As said, I permitted myself to do this on lines I had to touch
anyway.

> - all code using -EFAULT that you changed to "< 0"
>   works correctly (though is admittedly fragile)

I don't think so - note that the changes were to "<= 0", as some
of the functions only return 1 as success indicator (and pass 0
apparently to indicate didn't do anything or some such - this
aspect of the original code was confusing me quite a bit, and
I can't exclude I broke something there).

> - inlining the use of the bool "tmemc"

Yes, this one could have been preserved, but (almost) all of its
uses would have required changes anyway.

> - the addition of scratch (which I think I understand may
>   patch a security hole undocumented in the commit comment?)

No, this was a requirement for fixing what the comment says is
being fixed: Not being allowed to directly access guest memory,
scratch space is needed for calling the compression functions.
The alternative would have been to pass guest handles to the
compression code, which would have implied touching that
code too. I think you agree that would have been a much worse
choice.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.