Xen project Mailing List

Re: [PATCH 4/4] xen/version: Introduce non-truncating XENVER_* subops

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Wed, 4 Jan 2023 18:04:29 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cTxVePJt05zGmcAekCz40ZmvpoevLyoOtQJxIKsCzm8=; b=E0vNktuH22uBUt5578eWUBpsB0n8QttkP2ZI/s84JPB0tDgQNN7H4mMyEoazdaeoRWnVQB/7SWMXsqFvqlE9SnlIgdco5a1UI71dfAT4xaHJN3wpNr+PykVnlM0Ob8GG3I2VQ+wce+vf2SKOX0QR7rj1lXqiAMpwXA/BX8/Adso9gFDObWL5EVVkiwPu66uaEk1wFHZLZptN5Zx1o60yXQIBRCMex8JcYR7kQFzpdFeIj4V3m89EkmBxO5aKvLroKeO55nHsaZuwW2ptXoFGSMTKszXwku59qhUO01YaDeGcqzvVUA+WQ462PgVsBcRfeOuMbaQdQcDI4G+ir63FGw==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XPyu6UHebCGyvPMdGlvnMEOnCDrvTE0VjL6ZB9MToYvCOMmiOr8T4r296TNmDVAdTo9yq4wNhBQZCNuNlHRbevMjX6FWpYGIK9G11Ent188TDy2cLu61byLLjJ/oGb5HBMiDgUI6EXWowexnIf1EMzoe3twddbIpK+RGQUJ1+xaJiFZKQ1mBZ9cWlZWllbX6LTzPCt7CmMLgrdtoLdkdbP0eDUJQzaXq0qNIXMr7J5ec9i0i9Bodt6CMnFJVhihdhF3OpHyWaeWWr4GChZpyUjCI4kL+U2nTqDX5aBqeBw+uFjw2ZFwFp+HdpnSbdR77JUeMLjXx0Iklfk5PsTmgPg==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Wed, 04 Jan 2023 17:04:38 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 03.01.2023 21:09, Andrew Cooper wrote: > Recently in XenServer, we have encountered problems caused by both > XENVER_extraversion and XENVER_commandline having fixed bounds. > > More than just the invariant size, the APIs/ABIs also broken by typedef-ing an > array, and using an unqualified 'char' which has implementation-specific > signed-ness. Which is fine as long as only ASCII is returned. If non-ASCII can be returned, I agree "unsigned char" is better, but then we also need to spell out what encoding the strings use (UTF-8 presumably). > API/ABI wise, XENVER_build_id could be merged into xenver_varstring_op(), but > the internal infrastructure is awkward. I guess build-id also doesn't fit the rest because of not returning strings, but indeed an array of bytes. You also couldn't use strlen() on the array. > @@ -469,6 +470,66 @@ static int __init cf_check param_init(void) > __initcall(param_init); > #endif > > +static long xenver_varstring_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg) > +{ > + const char *str = NULL; > + size_t sz = 0; > + union { > + xen_capabilities_info_t info; > + } u; > + struct xen_var_string user_str; > + > + switch ( cmd ) > + { > + case XENVER_extraversion2: > + str = xen_extra_version(); > + break; > + > + case XENVER_changeset2: > + str = xen_changeset(); > + break; > + > + case XENVER_commandline2: > + str = saved_cmdline; > + break; > + > + case XENVER_capabilities2: > + memset(u.info, 0, sizeof(u.info)); > + arch_get_xen_caps(&u.info); > + str = u.info; > + break; > + > + default: > + ASSERT_UNREACHABLE(); > + break; > + } > + > + if ( !str || > + !(sz = strlen(str)) ) > + return -ENODATA; /* failsafe */ Is this really appropriate for e.g. an empty command line? > + if ( sz > INT32_MAX ) > + return -E2BIG; /* Compat guests. 2G ought to be plenty. */ While the comment here and in the public header mention compat guests, the check is uniform. What's the deal? > + if ( guest_handle_is_null(arg) ) /* Length request */ > + return sz; > + > + if ( copy_from_guest(&user_str, arg, 1) ) > + return -EFAULT; > + > + if ( user_str.len == 0 ) > + return -EINVAL; > + > + if ( sz > user_str.len ) > + return -ENOBUFS; > + > + if ( copy_to_guest_offset(arg, offsetof(struct xen_var_string, buf), > + str, sz) ) > + return -EFAULT; Not inserting a nul terminator is going to make this slightly awkward to use. > @@ -103,6 +126,35 @@ struct xen_build_id { > }; > typedef struct xen_build_id xen_build_id_t; > > +/* > + * Container for an arbitrary variable length string. > + */ > +struct xen_var_string { > + uint32_t len; /* IN: size of buf[] in bytes. */ > + unsigned char buf[XEN_FLEX_ARRAY_DIM]; /* OUT: requested data. */ > +}; > +typedef struct xen_var_string xen_var_string_t; > + > +/* > + * arg == xenver_string_t Nit: xen_var_string_t (also again in the following text). > + * Equivalent to the original ops, but with a non-truncating API/ABI. > + * > + * Passing arg == NULL is a request for size. The returned size does not > + * include a NUL terminator, and has a practical upper limit of INT32_MAX for > + * 32bit guests. This is expected to be plenty for the purpose. As said above, the limit applies to all guests, which the wording here doesn't suggest. Jan > + * Otherwise, the input xenver_string_t provides the size of the following > + * buffer. Xen will fill the buffer, and return the number of bytes written > + * (e.g. if the input buffer was longer than necessary). > + * > + * These hypercalls can fail, in which case they'll return -XEN_Exx. > + */ > +#define XENVER_extraversion2 11 > +#define XENVER_capabilities2 12 > +#define XENVER_changeset2 13 > +#define XENVER_commandline2 14 > + > #endif /* __XEN_PUBLIC_VERSION_H__ */ > > /*

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.