[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [PATCH v6 4/5] common/domain: add a domain context record for shared_info...

> -----Original Message-----
> From: Jan Beulich <jbeulich@xxxxxxxx>
> Sent: 28 May 2020 10:42
> To: Paul Durrant <paul@xxxxxxx>
> Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx; Durrant, Paul <pdurrant@xxxxxxxxxxxx>; 
> Ian Jackson
> <ian.jackson@xxxxxxxxxxxxx>; Wei Liu <wl@xxxxxxx>; Andrew Cooper 
> <andrew.cooper3@xxxxxxxxxx>; George
> Dunlap <george.dunlap@xxxxxxxxxx>; Julien Grall <julien@xxxxxxx>; Stefano 
> Stabellini
> <sstabellini@xxxxxxxxxx>
> Subject: RE: [EXTERNAL] [PATCH v6 4/5] common/domain: add a domain context 
> record for shared_info...
> 
> CAUTION: This email originated from outside of the organization. Do not click 
> links or open
> attachments unless you can confirm the sender and know the content is safe.
> 
> 
> 
> On 27.05.2020 19:34, Paul Durrant wrote:
> > @@ -1649,6 +1650,75 @@ int continue_hypercall_on_cpu(
> >      return 0;
> >  }
> >
> > +static int save_shared_info(const struct domain *d, struct domain_context 
> > *c,
> > +                            bool dry_run)
> > +{
> > +    struct domain_shared_info_context ctxt = {
> > +#ifdef CONFIG_COMPAT
> > +        .flags = has_32bit_shinfo(d) ? DOMAIN_SAVE_32BIT_SHINFO : 0,
> > +        .buffer_size = has_32bit_shinfo(d) ?
> > +                       sizeof(struct compat_shared_info) :
> > +                       sizeof(struct shared_info),
> > +#else
> > +        .buffer_size = sizeof(struct shared_info),
> > +#endif
> 
> To prevent disconnect between the types used here and the actual
> pointer copied from, I'd have preferred
> 
> #ifdef CONFIG_COMPAT
>         .flags = has_32bit_shinfo(d) ? DOMAIN_SAVE_32BIT_SHINFO : 0,
>         .buffer_size = has_32bit_shinfo(d) ?
>                        sizeof(d->shared_info->compat) :
>                        sizeof(d->shared_info->native),
> #else
>         .buffer_size = sizeof(*d->shared_info),
> #endif
> 
> But this is secondary, as the types indeed are very unlikely to go
> out of sync. What's more important is ...
> 
> > +static int load_shared_info(struct domain *d, struct domain_context *c)
> > +{
> > +    struct domain_shared_info_context ctxt;
> > +    size_t hdr_size = offsetof(typeof(ctxt), buffer);
> > +    unsigned int i;
> > +    int rc;
> > +
> > +    rc = DOMAIN_LOAD_BEGIN(SHARED_INFO, c, &i);
> > +    if ( rc )
> > +        return rc;
> > +
> > +    if ( i ) /* expect only a single instance */
> > +        return -ENXIO;
> > +
> > +    rc = domain_load_data(c, &ctxt, hdr_size);
> > +    if ( rc )
> > +        return rc;
> > +
> > +    if ( ctxt.buffer_size > sizeof(shared_info_t) ||
> > +         (ctxt.flags & ~DOMAIN_SAVE_32BIT_SHINFO) )
> > +        return -EINVAL;
> > +
> > +    if ( ctxt.flags & DOMAIN_SAVE_32BIT_SHINFO )
> > +#ifdef CONFIG_COMPAT
> > +        has_32bit_shinfo(d) = true;
> > +#else
> > +        return -EINVAL;
> > +#endif
> > +
> > +    rc = domain_load_data(c, d->shared_info, sizeof(shared_info_t));
> > +    if ( rc )
> > +        return rc;
> 
> ... the still insufficient checking here. You shouldn't accept more
> than sizeof(d->shared_info->compat) worth of data in the compat case
> if you also don't accept more than sizeof(shared_info_t) in the
> native case. To save another round trip I'll offer to make the
> adjustments while committing, but patches 3 and 5 want Andrew's ack
> first anyway.

Ok, thanks.

  Paul

> 
> Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.