[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v6 4/5] common/domain: add a domain context record for shared_info...

To: Paul Durrant <paul@xxxxxxx>
From: Jan Beulich <jbeulich@xxxxxxxx>
Date: Thu, 28 May 2020 11:42:24 +0200
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Paul Durrant <pdurrant@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 28 May 2020 09:42:32 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 27.05.2020 19:34, Paul Durrant wrote:
> @@ -1649,6 +1650,75 @@ int continue_hypercall_on_cpu(
>      return 0;
>  }
>  
> +static int save_shared_info(const struct domain *d, struct domain_context *c,
> +                            bool dry_run)
> +{
> +    struct domain_shared_info_context ctxt = {
> +#ifdef CONFIG_COMPAT
> +        .flags = has_32bit_shinfo(d) ? DOMAIN_SAVE_32BIT_SHINFO : 0,
> +        .buffer_size = has_32bit_shinfo(d) ?
> +                       sizeof(struct compat_shared_info) :
> +                       sizeof(struct shared_info),
> +#else
> +        .buffer_size = sizeof(struct shared_info),
> +#endif

To prevent disconnect between the types used here and the actual
pointer copied from, I'd have preferred

#ifdef CONFIG_COMPAT
        .flags = has_32bit_shinfo(d) ? DOMAIN_SAVE_32BIT_SHINFO : 0,
        .buffer_size = has_32bit_shinfo(d) ?
                       sizeof(d->shared_info->compat) :
                       sizeof(d->shared_info->native),
#else
        .buffer_size = sizeof(*d->shared_info),
#endif

But this is secondary, as the types indeed are very unlikely to go
out of sync. What's more important is ...

> +static int load_shared_info(struct domain *d, struct domain_context *c)
> +{
> +    struct domain_shared_info_context ctxt;
> +    size_t hdr_size = offsetof(typeof(ctxt), buffer);
> +    unsigned int i;
> +    int rc;
> +
> +    rc = DOMAIN_LOAD_BEGIN(SHARED_INFO, c, &i);
> +    if ( rc )
> +        return rc;
> +
> +    if ( i ) /* expect only a single instance */
> +        return -ENXIO;
> +
> +    rc = domain_load_data(c, &ctxt, hdr_size);
> +    if ( rc )
> +        return rc;
> +
> +    if ( ctxt.buffer_size > sizeof(shared_info_t) ||
> +         (ctxt.flags & ~DOMAIN_SAVE_32BIT_SHINFO) )
> +        return -EINVAL;
> +
> +    if ( ctxt.flags & DOMAIN_SAVE_32BIT_SHINFO )
> +#ifdef CONFIG_COMPAT
> +        has_32bit_shinfo(d) = true;
> +#else
> +        return -EINVAL;
> +#endif
> +
> +    rc = domain_load_data(c, d->shared_info, sizeof(shared_info_t));
> +    if ( rc )
> +        return rc;

... the still insufficient checking here. You shouldn't accept more
than sizeof(d->shared_info->compat) worth of data in the compat case
if you also don't accept more than sizeof(shared_info_t) in the
native case. To save another round trip I'll offer to make the
adjustments while committing, but patches 3 and 5 want Andrew's ack
first anyway.

Jan

Follow-Ups:
- RE: [PATCH v6 4/5] common/domain: add a domain context record for shared_info...
  - From: Durrant, Paul

References:
- [PATCH v6 0/5] domain context infrastructure
  - From: Paul Durrant
- [PATCH v6 4/5] common/domain: add a domain context record for shared_info...
  - From: Paul Durrant

Prev by Date: Re: [PATCH 2/2] xen: credit2: limit the max number of CPUs in a runqueue
Next by Date: Re: [PATCH v2 01/14] x86/traps: Clean up printing in {do_reserved,fatal}_trap()
Previous by thread: Re: [PATCH v6 4/5] common/domain: add a domain context record for shared_info...
Next by thread: RE: [PATCH v6 4/5] common/domain: add a domain context record for shared_info...
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.