[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v6 4/5] common/domain: add a domain context record for shared_info...



On 27.05.2020 19:34, Paul Durrant wrote:
> @@ -1649,6 +1650,75 @@ int continue_hypercall_on_cpu(
>      return 0;
>  }
>  
> +static int save_shared_info(const struct domain *d, struct domain_context *c,
> +                            bool dry_run)
> +{
> +    struct domain_shared_info_context ctxt = {
> +#ifdef CONFIG_COMPAT
> +        .flags = has_32bit_shinfo(d) ? DOMAIN_SAVE_32BIT_SHINFO : 0,
> +        .buffer_size = has_32bit_shinfo(d) ?
> +                       sizeof(struct compat_shared_info) :
> +                       sizeof(struct shared_info),
> +#else
> +        .buffer_size = sizeof(struct shared_info),
> +#endif

To prevent disconnect between the types used here and the actual
pointer copied from, I'd have preferred

#ifdef CONFIG_COMPAT
        .flags = has_32bit_shinfo(d) ? DOMAIN_SAVE_32BIT_SHINFO : 0,
        .buffer_size = has_32bit_shinfo(d) ?
                       sizeof(d->shared_info->compat) :
                       sizeof(d->shared_info->native),
#else
        .buffer_size = sizeof(*d->shared_info),
#endif

But this is secondary, as the types indeed are very unlikely to go
out of sync. What's more important is ...

> +static int load_shared_info(struct domain *d, struct domain_context *c)
> +{
> +    struct domain_shared_info_context ctxt;
> +    size_t hdr_size = offsetof(typeof(ctxt), buffer);
> +    unsigned int i;
> +    int rc;
> +
> +    rc = DOMAIN_LOAD_BEGIN(SHARED_INFO, c, &i);
> +    if ( rc )
> +        return rc;
> +
> +    if ( i ) /* expect only a single instance */
> +        return -ENXIO;
> +
> +    rc = domain_load_data(c, &ctxt, hdr_size);
> +    if ( rc )
> +        return rc;
> +
> +    if ( ctxt.buffer_size > sizeof(shared_info_t) ||
> +         (ctxt.flags & ~DOMAIN_SAVE_32BIT_SHINFO) )
> +        return -EINVAL;
> +
> +    if ( ctxt.flags & DOMAIN_SAVE_32BIT_SHINFO )
> +#ifdef CONFIG_COMPAT
> +        has_32bit_shinfo(d) = true;
> +#else
> +        return -EINVAL;
> +#endif
> +
> +    rc = domain_load_data(c, d->shared_info, sizeof(shared_info_t));
> +    if ( rc )
> +        return rc;

... the still insufficient checking here. You shouldn't accept more
than sizeof(d->shared_info->compat) worth of data in the compat case
if you also don't accept more than sizeof(shared_info_t) in the
native case. To save another round trip I'll offer to make the
adjustments while committing, but patches 3 and 5 want Andrew's ack
first anyway.

Jan



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.