[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v4 2/3] xsm: consolidate loading the policy buffer
- To: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Tue, 31 May 2022 19:07:04 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6fmpXhd8Nkq59qOHrKEQ95y2cZuWs+vh0baw+s8478k=; b=Z+GalL5xZs8QNc94wVsDXd7Y5JTFkxiI1brVgJQ7Ac9YLZBuAsSYQkkpf/6xA8lBeRamfJPn2VEt7A7kJlSq4St4Jtkr9K93p5Cp9ypyKRCxZA0U8Ah2OA7iTnSz2h+S2DyBXGQvQAUKvdHJWQxFsRuMtG2Cz68Cr4o4Q4LgAikJvEuNpLw/SVhjVlEVxSuZ63rydQ/gKGwPeGstt5eryf35Q3+v0xRp80lofcwavmbqBiN+/FgDhAVDU5I1gCj4yGO4P83AJtOmFvM69W2+0fajlIUlXs8kuLksqGQJ+YH6SxIHMAzl+ZYlur80njQLH8Hpb7EkSBB7cyv/oCizww==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bnqB7lnZVQ4N2RJsJwfcdM1ZwMpWgOOwWyIW+w003SSwkn31KZbhXVCZJLdXr4udBwbMch9sZKPEsyBIIYM1heGFVzWmZxrvhWxDABd3IuqDEaiKS/wLncm0d+Kk0ztcXbnf8h3Boy0geTfBzvy4/7xHjQOpEqc8gRb/dmuTw+JNPr7Qf+Zi2Ix+4veN4da33yj8gT8UZbeYSxdEU1AIAtucBchxqb9nMJlt0TDUH6BSbYQg/wMQHfLlDRlMcW+dG9ulG4nDI+MavY+yg59Xqc5M+gPDk8a2jSAuRoAm94/1XyBcVAQL3+RvicvpkfxhDuNKx69JNqM80MYg8uukhg==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: "scott.davis@xxxxxxxxxx" <scott.davis@xxxxxxxxxx>, "christopher.clark@xxxxxxxxxx" <christopher.clark@xxxxxxxxxx>, "jandryuk@xxxxxxxxx" <jandryuk@xxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
- Delivery-date: Tue, 31 May 2022 19:07:18 +0000
- Ironport-data: A9a23:8TGbKa/Ddpr3FK7DIYtdDrUDU3+TJUtcMsCJ2f8bNWPcYEJGY0x3z GYfXTuCPviCazfzeNlwbtmw9x5T6pTSmtAxSAVl+Sg8E34SpcT7XtnIdU2Y0wF+jyHgoOCLy +1EN7Es+ehtFie0Si+Fa+Sn9T8mvU2xbuKU5NTsY0idfic5DnZ44f5fs7Rh2NQw3IPgW1jlV e7a+KUzBnf0g1aYDUpMg06zgEsHUCPa4W5wUvQWPJinjXeG/5UnJMt3yZKZdhMUdrJ8DO+iL 9sv+Znilo/vE7XBPfv++lrzWhVirrc/pmFigFIOM0SpqkAqSiDfTs/XnRfTAKtao2zhojx/9 DlCna6ZWykPAI6VpPoEYTBSNn1aAK9l1paSdBBTseTLp6HHW13F5qw0SWsQbcgf8OsxBnxS/ /sFLjxLdgqEm++93LO8TK9rm9gnK87oeogYvxmMzxmAVapgHc+FHviMvIACtNszrpkm8fL2T swVczdwKj/HZAVCIAw/A5Mihua4wHL4dlW0rXrK//tqvTSLlWSd1pDqb9jFW4ylffxPg3SBg EfZ/G++IDwFYYn3JT2ttyjEavX0tS/jQ4cTCL2Q/+ZnmkGO3XcUDAAKVFy9ur+yjUvWc8JSL QkY9zQjqYA29Ve3VZ/tUhugunmGsxUAHd1KHIUS8wqK1raS7w+HB3MsVSJIctgvvok3QlQC3 V+Tnsj1AiRvvafTQnaU7LS8ti+7IywcJykDYkcsTwID78PyvYIbgRfGT9IlG6mw5vX5Fj39z CqDhDQvjLUUy8gQ3uO0+k6vvt63jp3ATwpw7AOHWGugt1l9fNT8ONbu7kXH5/FdKorfVkOGo HUPh8mZ6qYJEI2JkyuOBu4KGdlF+sq4DdEVunY3d7FJythn0yfLkVx4iN2mGHpUDw==
- Ironport-hdrordr: A9a23:BdytmKxWK1rVh+q9hWn3KrPxdegkLtp133Aq2lEZdPULSKGlfp GV9sjziyWetN9IYgBapTiBUJPwIk81bfZOkMUs1MSZLXPbUQyTXc5fBOrZsnDd8kjFmtK1up 0QFJSWZOeQMbE+t7eD3ODaKadv/DDkytHPuQ629R4EIm9XguNbnn5E422gYy9LrXx9dP4E/e 2nl696TlSbGUg/X4CePD0oTuLDr9rEmNbNehgdHSMq7wGIkHeB9KP6OwLw5GZfbxp/hZMZtU TVmQ3w4auu99uhzAXH6mPV55NK3PP819p4AtCWgMR9EESutu/oXvUiZ1SxhkFwnAid0idsrD AKmWZnAy1H0QKVQohym2q15+Cv6kd315ao8y7kvZKqm72EeNt9MbsBuWsRSGqm16Jr1usMr5 5jziaXsYFaAgjHmzm479/UVwtynk7xunY6l/UP5kYvGbf2RYUh27D3xnklWavo3RiKmrwPAa 1rFoXR9fxWeVSVYzTQuXRu2sWlWjA2Eg2dSkYPt8SJ23wO9UoJhXcw1YgahDMN5Zg9Q55L66 DNNblpjqhHSosTYbhmDOkMTMOrAijGQA7KMmiVPVP7fZt3cE7lutry+vE49euqcJsHwN87n4 nASkpRsSood0fnGaS1rep2G9D2MRGAtBjWu7FjDsJCy8zBrZLQQF6+YUFrlde8qPMCBcCeU+ qvOfttcoreEVc=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHYdRttYyzERFwD3EWagofaBthvzK05WQKA
- Thread-topic: [PATCH v4 2/3] xsm: consolidate loading the policy buffer
On 31/05/2022 19:20, Daniel P. Smith wrote:
> diff --git a/xen/xsm/xsm_policy.c b/xen/xsm/xsm_policy.c
> index 8dafbc9381..690fd23e9f 100644
> --- a/xen/xsm/xsm_policy.c
> +++ b/xen/xsm/xsm_policy.c
> @@ -8,7 +8,7 @@
> * Contributors:
> * Michael LeMay, <mdlemay@xxxxxxxxxxxxxx>
> * George Coker, <gscoker@xxxxxxxxxxxxxx>
> - *
> + *
> * This program is free software; you can redistribute it and/or modify
> * it under the terms of the GNU General Public License version 2,
> * as published by the Free Software Foundation.
> @@ -32,14 +32,21 @@
> #ifdef CONFIG_MULTIBOOT
> int __init xsm_multiboot_policy_init(
> unsigned long *module_map, const multiboot_info_t *mbi,
> - void **policy_buffer, size_t *policy_size)
> + const unsigned char **policy_buffer, size_t *policy_size)
> {
> int i;
> module_t *mod = (module_t *)__va(mbi->mods_addr);
> - int rc = 0;
> + int rc = -ENOENT;
> u32 *_policy_start;
> unsigned long _policy_len;
>
> +#ifdef CONFIG_XSM_FLASK_POLICY
> + /* Initially set to builtin policy, overriden if boot module is found. */
> + *policy_buffer = xsm_flask_init_policy;
> + *policy_size = xsm_flask_init_policy_size;
> + rc = 0;
> +#endif
Does
if ( IS_ENABLED(CONFIG_XSM_FLASK_POLICY) )
{
...
}
compile properly? You'll need to drop the ifdefary in xsm.h, but this
would be a better approach (more compiler coverage in normal builds).
Same for the related hunk on the DT side.
> +
> /*
> * Try all modules and see whichever could be the binary policy.
> * Adjust module_map for the module that is the binary policy.
> @@ -54,13 +61,14 @@ int __init xsm_multiboot_policy_init(
>
> if ( (xsm_magic_t)(*_policy_start) == XSM_MAGIC )
> {
> - *policy_buffer = _policy_start;
> + *policy_buffer = (unsigned char *)_policy_start;
The existing logic is horrible. To start with, there's a buffer overrun
for a module of fewer than 4 bytes. (Same on the DT side.)
It would be slightly less horrible as
for ( ... )
{
void *ptr;
if ( !test_bit(i, module_map) || mod[i].mod_end < sizeof(xsm_header) )
continue;
ptr = bootstrap_map(...);
if ( memcmp(ptr, XSM_MAGIC, sizeof(XSM_MAGIC)) == 0 )
{
*policy_buffer = ptr;
*policy_len = mod[i].mod_end;
...
break;
}
bootstrap_map(NULL);
}
because at least this gets rid of the intermediate variables, the buffer
overrun, and the awkward casting to find XSM_MAGIC.
That said, it's still unclear what's going on, because has_xsm_magic()
says the header is 16 bytes long, rather than 4 (assuming that it means
uint32_t. policydb_read() uses uint32_t).
Also, policydb_read() uses le32_to_cpu() so the multiboot/dt checks are
wrong on big-endian systems.
Also also, policydb_read() really doesn't need to make a temporary
memory allocation to check a fixed string of fixed length. This is
horrible.
I suspect we're getting into "in a subsequent patch" territory here.
~Andrew
|