[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader

To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Tue, 23 Sep 2014 18:00:34 +0100
Cc: stefano.stabellini@xxxxxxxxxxxxx, tim@xxxxxxx, julien.grall@xxxxxxxxxx, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, xen-devel@xxxxxxxxxxxxx, Oleksandr Tyshchenko <oleksandr.tyshchenko@xxxxxxxxxxxxxxx>
Delivery-date: Tue, 23 Sep 2014 17:00:54 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Ian Campbell writes ("Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS 
loader"):
> On Tue, 2014-09-23 at 17:19 +0100, Ian Jackson wrote:
> > These would all have been security bugs if the v3 patch had been
> > accepted.  They would have been bugs that would potentially amount to
> > privilege escalation for very many Xen installations.
> 
> Well, those booting untrusted QNX guests on ARM, which won't be many
> yet, but point taken...

No.  The loader would run whenever it seems the appropriate image
type, so everyone with it compiled in is vulnerable.

Admittedly you are right that this is only ARM users.

> > I think we should be considering whether to take an approach similar
> > to that taken in libelf after XSA-55.  The code can probably be
> > reused.
> 
> I think something like that would be good, but would be a much bigger
> yakk than we can reasonably ask to be shaved here, since it would need
> to transition the core xc_dom builder code and all of the loaders for
> both ARM and x86.
> 
> And its certainly not 4.5 material at this point.

In that case this code needs a very thorough review process.

I suggest the following approach: the submitters conduct a very
serious and thorough security review.  When they are happy that they
have a bug-free submission, they send it with at least an ack from a
colleague.

I will then review it in detail looking for security bug.  If I find
even one the whole patch will be rejected for 4.5 and we will look at
the more substantial approach for post-4.5.

This may sound harsh, but security review of this kind of code is very
difficult work and not particularly reliable at finding bugs.  A
system where the patch is simply resubmitted, after fixing those bugs
found by the first security review, will probably result in
undiscovered bugs being accepted.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
  - From: Oleksandr Tyshchenko

References:
- [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
  - From: Oleksandr Tyshchenko
- [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
  - From: Oleksandr Tyshchenko
- Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
  - From: Ian Campbell

Prev by Date: Re: [Xen-devel] [PATCH v4 1/4] x86/HVM: fix miscellaneous aspects of x2APIC emulation
Next by Date: Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
Previous by thread: Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
Next by thread: Re: [Xen-devel] [PATCH v3] xen/tools: Introduce QNX IFS loader
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.