[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.14] xen/hypfs: fix writing of custom parameter



commit 54789343ce51ef1595010b13e092863a50cb38ee
Author:     Juergen Gross <jgross@xxxxxxxx>
AuthorDate: Tue Sep 22 17:38:06 2020 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 22 17:38:06 2020 +0200

    xen/hypfs: fix writing of custom parameter
    
    Today the maximum allowed data length for writing a hypfs node is
    tested in the generic hypfs_write() function. For custom runtime
    parameters this might be wrong, as the maximum allowed size is derived
    from the buffer holding the current setting, while there might be ways
    to set the parameter needing more characters than the minimal
    representation of that value.
    
    One example for this is the "ept" parameter. Its value buffer is sized
    to be able to hold the string "exec-sp=0" or "exec-sp=1", while it is
    allowed to use e.g. "no-exec-sp" or "exec-sp=yes" for setting it.
    
    Fix that by moving the length check one level down to the type
    specific write function.
    
    In order to avoid allocation of arbitrary sized buffers use a new
    MAX_PARAM_SIZE macro as an upper limit for custom writes. The value
    of MAX_PARAM_SIZE is the same as the limit in parse_params() for a
    single parameter.
    
    Fixes: a659d7cab9af ("xen: add runtime parameter access support to hypfs")
    Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    Tested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: b4e41b1750d550bf2b1ccf97ee46f4f682bdbb62
    master date: 2020-09-11 14:20:10 +0200
---
 xen/common/hypfs.c      | 11 +++++++----
 xen/common/kernel.c     |  2 +-
 xen/include/xen/param.h |  3 +++
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/xen/common/hypfs.c b/xen/common/hypfs.c
index b74c228191..8e932b5cf9 100644
--- a/xen/common/hypfs.c
+++ b/xen/common/hypfs.c
@@ -297,7 +297,9 @@ int hypfs_write_leaf(struct hypfs_entry_leaf *leaf,
     int ret;
 
     ASSERT(this_cpu(hypfs_locked) == hypfs_write_locked);
-    ASSERT(ulen <= leaf->e.max_size);
+
+    if ( ulen > leaf->e.max_size )
+        return -ENOSPC;
 
     if ( leaf->e.type != XEN_HYPFS_TYPE_STRING &&
          leaf->e.type != XEN_HYPFS_TYPE_BLOB && ulen != leaf->e.size )
@@ -356,6 +358,10 @@ int hypfs_write_custom(struct hypfs_entry_leaf *leaf,
 
     ASSERT(this_cpu(hypfs_locked) == hypfs_write_locked);
 
+    /* Avoid oversized buffer allocation. */
+    if ( ulen > MAX_PARAM_SIZE )
+        return -ENOSPC;
+
     buf = xzalloc_array(char, ulen);
     if ( !buf )
         return -ENOMEM;
@@ -386,9 +392,6 @@ static int hypfs_write(struct hypfs_entry *entry,
 
     ASSERT(entry->max_size);
 
-    if ( ulen > entry->max_size )
-        return -ENOSPC;
-
     l = container_of(entry, struct hypfs_entry_leaf, e);
 
     return entry->write(l, uaddr, ulen);
diff --git a/xen/common/kernel.c b/xen/common/kernel.c
index 9de07b7ac5..c3a943f077 100644
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -57,7 +57,7 @@ static int assign_integer_param(const struct kernel_param 
*param, uint64_t val)
 static int parse_params(const char *cmdline, const struct kernel_param *start,
                         const struct kernel_param *end)
 {
-    char opt[128], *optval, *optkey, *q;
+    char opt[MAX_PARAM_SIZE], *optval, *optkey, *q;
     const char *p = cmdline, *key;
     const struct kernel_param *param;
     int rc, final_rc = 0;
diff --git a/xen/include/xen/param.h b/xen/include/xen/param.h
index c2fd075dd0..67ce6edf88 100644
--- a/xen/include/xen/param.h
+++ b/xen/include/xen/param.h
@@ -26,6 +26,9 @@ struct kernel_param {
     } par;
 };
 
+/* Maximum length of a single parameter string. */
+#define MAX_PARAM_SIZE 128
+
 extern const struct kernel_param __setup_start[], __setup_end[];
 
 #define __param(att)      static const att \
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.14



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.