[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v4 2/3] xsm: consolidate loading the policy buffer

  • To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Tue, 31 May 2022 19:07:04 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6fmpXhd8Nkq59qOHrKEQ95y2cZuWs+vh0baw+s8478k=; b=Z+GalL5xZs8QNc94wVsDXd7Y5JTFkxiI1brVgJQ7Ac9YLZBuAsSYQkkpf/6xA8lBeRamfJPn2VEt7A7kJlSq4St4Jtkr9K93p5Cp9ypyKRCxZA0U8Ah2OA7iTnSz2h+S2DyBXGQvQAUKvdHJWQxFsRuMtG2Cz68Cr4o4Q4LgAikJvEuNpLw/SVhjVlEVxSuZ63rydQ/gKGwPeGstt5eryf35Q3+v0xRp80lofcwavmbqBiN+/FgDhAVDU5I1gCj4yGO4P83AJtOmFvM69W2+0fajlIUlXs8kuLksqGQJ+YH6SxIHMAzl+ZYlur80njQLH8Hpb7EkSBB7cyv/oCizww==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bnqB7lnZVQ4N2RJsJwfcdM1ZwMpWgOOwWyIW+w003SSwkn31KZbhXVCZJLdXr4udBwbMch9sZKPEsyBIIYM1heGFVzWmZxrvhWxDABd3IuqDEaiKS/wLncm0d+Kk0ztcXbnf8h3Boy0geTfBzvy4/7xHjQOpEqc8gRb/dmuTw+JNPr7Qf+Zi2Ix+4veN4da33yj8gT8UZbeYSxdEU1AIAtucBchxqb9nMJlt0TDUH6BSbYQg/wMQHfLlDRlMcW+dG9ulG4nDI+MavY+yg59Xqc5M+gPDk8a2jSAuRoAm94/1XyBcVAQL3+RvicvpkfxhDuNKx69JNqM80MYg8uukhg==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: "scott.davis@xxxxxxxxxx" <scott.davis@xxxxxxxxxx>, "christopher.clark@xxxxxxxxxx" <christopher.clark@xxxxxxxxxx>, "jandryuk@xxxxxxxxx" <jandryuk@xxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
  • Delivery-date: Tue, 31 May 2022 19:07:18 +0000
  • Ironport-data: A9a23:8TGbKa/Ddpr3FK7DIYtdDrUDU3+TJUtcMsCJ2f8bNWPcYEJGY0x3z GYfXTuCPviCazfzeNlwbtmw9x5T6pTSmtAxSAVl+Sg8E34SpcT7XtnIdU2Y0wF+jyHgoOCLy +1EN7Es+ehtFie0Si+Fa+Sn9T8mvU2xbuKU5NTsY0idfic5DnZ44f5fs7Rh2NQw3IPgW1jlV e7a+KUzBnf0g1aYDUpMg06zgEsHUCPa4W5wUvQWPJinjXeG/5UnJMt3yZKZdhMUdrJ8DO+iL 9sv+Znilo/vE7XBPfv++lrzWhVirrc/pmFigFIOM0SpqkAqSiDfTs/XnRfTAKtao2zhojx/9 DlCna6ZWykPAI6VpPoEYTBSNn1aAK9l1paSdBBTseTLp6HHW13F5qw0SWsQbcgf8OsxBnxS/ /sFLjxLdgqEm++93LO8TK9rm9gnK87oeogYvxmMzxmAVapgHc+FHviMvIACtNszrpkm8fL2T swVczdwKj/HZAVCIAw/A5Mihua4wHL4dlW0rXrK//tqvTSLlWSd1pDqb9jFW4ylffxPg3SBg EfZ/G++IDwFYYn3JT2ttyjEavX0tS/jQ4cTCL2Q/+ZnmkGO3XcUDAAKVFy9ur+yjUvWc8JSL QkY9zQjqYA29Ve3VZ/tUhugunmGsxUAHd1KHIUS8wqK1raS7w+HB3MsVSJIctgvvok3QlQC3 V+Tnsj1AiRvvafTQnaU7LS8ti+7IywcJykDYkcsTwID78PyvYIbgRfGT9IlG6mw5vX5Fj39z CqDhDQvjLUUy8gQ3uO0+k6vvt63jp3ATwpw7AOHWGugt1l9fNT8ONbu7kXH5/FdKorfVkOGo HUPh8mZ6qYJEI2JkyuOBu4KGdlF+sq4DdEVunY3d7FJythn0yfLkVx4iN2mGHpUDw==
  • Ironport-hdrordr: A9a23:BdytmKxWK1rVh+q9hWn3KrPxdegkLtp133Aq2lEZdPULSKGlfp GV9sjziyWetN9IYgBapTiBUJPwIk81bfZOkMUs1MSZLXPbUQyTXc5fBOrZsnDd8kjFmtK1up 0QFJSWZOeQMbE+t7eD3ODaKadv/DDkytHPuQ629R4EIm9XguNbnn5E422gYy9LrXx9dP4E/e 2nl696TlSbGUg/X4CePD0oTuLDr9rEmNbNehgdHSMq7wGIkHeB9KP6OwLw5GZfbxp/hZMZtU TVmQ3w4auu99uhzAXH6mPV55NK3PP819p4AtCWgMR9EESutu/oXvUiZ1SxhkFwnAid0idsrD AKmWZnAy1H0QKVQohym2q15+Cv6kd315ao8y7kvZKqm72EeNt9MbsBuWsRSGqm16Jr1usMr5 5jziaXsYFaAgjHmzm479/UVwtynk7xunY6l/UP5kYvGbf2RYUh27D3xnklWavo3RiKmrwPAa 1rFoXR9fxWeVSVYzTQuXRu2sWlWjA2Eg2dSkYPt8SJ23wO9UoJhXcw1YgahDMN5Zg9Q55L66 DNNblpjqhHSosTYbhmDOkMTMOrAijGQA7KMmiVPVP7fZt3cE7lutry+vE49euqcJsHwN87n4 nASkpRsSood0fnGaS1rep2G9D2MRGAtBjWu7FjDsJCy8zBrZLQQF6+YUFrlde8qPMCBcCeU+ qvOfttcoreEVc=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHYdRttYyzERFwD3EWagofaBthvzK05WQKA
  • Thread-topic: [PATCH v4 2/3] xsm: consolidate loading the policy buffer
On 31/05/2022 19:20, Daniel P. Smith wrote:
> diff --git a/xen/xsm/xsm_policy.c b/xen/xsm/xsm_policy.c
> index 8dafbc9381..690fd23e9f 100644
> --- a/xen/xsm/xsm_policy.c
> +++ b/xen/xsm/xsm_policy.c
> @@ -8,7 +8,7 @@
>   *  Contributors:
>   *  Michael LeMay, <mdlemay@xxxxxxxxxxxxxx>
>   *  George Coker, <gscoker@xxxxxxxxxxxxxx>
> - *  
> + *
>   *  This program is free software; you can redistribute it and/or modify
>   *  it under the terms of the GNU General Public License version 2,
>   *  as published by the Free Software Foundation.
> @@ -32,14 +32,21 @@
>  #ifdef CONFIG_MULTIBOOT
>  int __init xsm_multiboot_policy_init(
>      unsigned long *module_map, const multiboot_info_t *mbi,
> -    void **policy_buffer, size_t *policy_size)
> +    const unsigned char **policy_buffer, size_t *policy_size)
>  {
>      int i;
>      module_t *mod = (module_t *)__va(mbi->mods_addr);
> -    int rc = 0;
> +    int rc = -ENOENT;
>      u32 *_policy_start;
>      unsigned long _policy_len;
>  
> +#ifdef CONFIG_XSM_FLASK_POLICY
> +    /* Initially set to builtin policy, overriden if boot module is found. */
> +    *policy_buffer = xsm_flask_init_policy;
> +    *policy_size = xsm_flask_init_policy_size;
> +    rc = 0;
> +#endif

Does

if ( IS_ENABLED(CONFIG_XSM_FLASK_POLICY) )
{
    ...
}

compile properly?  You'll need to drop the ifdefary in xsm.h, but this
would be a better approach (more compiler coverage in normal builds).

Same for the related hunk on the DT side.

> +
>      /*
>       * Try all modules and see whichever could be the binary policy.
>       * Adjust module_map for the module that is the binary policy.
> @@ -54,13 +61,14 @@ int __init xsm_multiboot_policy_init(
>  
>          if ( (xsm_magic_t)(*_policy_start) == XSM_MAGIC )
>          {
> -            *policy_buffer = _policy_start;
> +            *policy_buffer = (unsigned char *)_policy_start;

The existing logic is horrible.  To start with, there's a buffer overrun
for a module of fewer than 4 bytes.  (Same on the DT side.)

It would be slightly less horrible as

for ( ... )
{
    void *ptr;

    if ( !test_bit(i, module_map) || mod[i].mod_end < sizeof(xsm_header) )
        continue;

    ptr = bootstrap_map(...);

    if ( memcmp(ptr, XSM_MAGIC, sizeof(XSM_MAGIC)) == 0 )
    {
        *policy_buffer = ptr;
        *policy_len = mod[i].mod_end;

        ...
        break;
    }

    bootstrap_map(NULL);
}

because at least this gets rid of the intermediate variables, the buffer
overrun, and the awkward casting to find XSM_MAGIC.

That said, it's still unclear what's going on, because has_xsm_magic()
says the header is 16 bytes long, rather than 4 (assuming that it means
uint32_t.  policydb_read() uses uint32_t).

Also, policydb_read() uses le32_to_cpu() so the multiboot/dt checks are
wrong on big-endian systems.

Also also, policydb_read() really doesn't need to make a temporary
memory allocation to check a fixed string of fixed length.  This is
horrible.

I suspect we're getting into "in a subsequent patch" territory here.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.