[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 8/8] libelf: safety: Document safety principles in header file



>>> On 16.12.16 at 12:43, <ian.jackson@xxxxxxxxxxxxx> wrote:
> Jan Beulich writes ("Re: [PATCH 8/8] libelf: safety: Document safety 
> principles in header file"):
>> On 09.12.16 at 16:44, <ian.jackson@xxxxxxxxxxxxx> wrote:
>> > + *  - Stack local buffer variables containing information derived from
>> > + *    the image (including structs, or byte buffers) must be
>> > + *    completely zeroed, using elf_memset_unchecked (and an
>> > + *    accompanying elf_iter_ok_counted) on entry to the function (or
>> > + *    somewhere very obviously near there).
>> > + *
>> > + *        Rationale: This avoids uninitialised stack data being used
>> > + *        as input to any of the loader.
>> 
>> What distinguishes a "buffer variable" from a plain variable? I.e.
>> where is the boundary here as to which ones need zeroing?
> 
> The hazard is an undiscovered uninitialised variable.  "Undiscovered"
> meaning static analysis tools won't find it (eg Coverity will find
> many if not most normal uninitialised variables).
> 
> This is the biggest risk for variables which can be partially
> initialised: ie, structs and arrays.  It is more difficult to reason
> about variables which can be partially initialised.

I guess you meant "can't"? In any event the wording may want
some clarification then.

>> Also,
>> I don't think zeroing is needed when a variable gets fully written
>> over (like in a structure assignment). Do you perhaps want to
>> limit the above to "directly derived from the image"?
> 
> Structure assignment does not necessarily write over the whole
> variable.  It may leave the padding un-overwritten.

Oh, true.

>> > + *  - Do not add code which is not necessary for libelf to function
>> > + *    with correct input, or to avoid being vulnerable to incorrect
>> > + *    input.  Do not add additional functionally-unnecessary checks
>> > + *    for diagnosing problems with the image, or validating sanity of
>> > + *    the input ELF.
> ...
>> While I can understand your reasoning, I continue to think that
>> libelf in a ELF loader, and hence should check certain things. The
>> best example I currently know of are e_[ps]hentsize, which the
>> code uses without checking the lower valid bound.
> 
> You don't give a counterargument to my reasoning:
> 
>> > + *        Rationale: Redundant checks have almost zero benefit because
>> > + *        1. we do not expect ELF-generating tools to generate invalid
>> > + *        ELFs so these checks' failure paths will very likely never
>> > + *        be executed anywhere, and 2. anyone debugging such a
>> > + *        hypothetical bad ELF will have a variety of tools available
>> > + *        which will do a much better job of analysing it.

Well, because as said - I can understand it, given the perspective
you take.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.