|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging] xen/hypfs: CFI hardening
commit 0cccb0416e5480822a54bd74066f73c14238b168
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Fri Oct 29 15:42:42 2021 +0100
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Wed Feb 23 15:33:43 2022 +0000
xen/hypfs: CFI hardening
Control Flow Integrity schemes use toolchain and optionally hardware support
to help protect against call/jump/return oriented programming attacks.
Use cf_check to annotate function pointer targets for the toolchain.
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Acked-by: Juergen Gross <jgross@xxxxxxxx>
---
xen/common/hypfs.c | 57 +++++++++++++++++++++++-----------------------
xen/common/sched/cpupool.c | 25 ++++++++++----------
xen/include/xen/hypfs.h | 49 +++++++++++++++++++--------------------
3 files changed, 65 insertions(+), 66 deletions(-)
diff --git a/xen/common/hypfs.c b/xen/common/hypfs.c
index 1526bcc528..0d22396f5d 100644
--- a/xen/common/hypfs.c
+++ b/xen/common/hypfs.c
@@ -113,12 +113,13 @@ static void hypfs_unlock(void)
}
}
-const struct hypfs_entry *hypfs_node_enter(const struct hypfs_entry *entry)
+const struct hypfs_entry *cf_check hypfs_node_enter(
+ const struct hypfs_entry *entry)
{
return entry;
}
-void hypfs_node_exit(const struct hypfs_entry *entry)
+void cf_check hypfs_node_exit(const struct hypfs_entry *entry)
{
}
@@ -289,16 +290,14 @@ static int hypfs_get_path_user(char *buf,
return 0;
}
-struct hypfs_entry *hypfs_leaf_findentry(const struct hypfs_entry_dir *dir,
- const char *name,
- unsigned int name_len)
+struct hypfs_entry *cf_check hypfs_leaf_findentry(
+ const struct hypfs_entry_dir *dir, const char *name, unsigned int name_len)
{
return ERR_PTR(-ENOTDIR);
}
-struct hypfs_entry *hypfs_dir_findentry(const struct hypfs_entry_dir *dir,
- const char *name,
- unsigned int name_len)
+struct hypfs_entry *cf_check hypfs_dir_findentry(
+ const struct hypfs_entry_dir *dir, const char *name, unsigned int name_len)
{
struct hypfs_entry *entry;
@@ -360,7 +359,7 @@ static struct hypfs_entry *hypfs_get_entry(const char *path)
return hypfs_get_entry_rel(&hypfs_root, path + 1);
}
-unsigned int hypfs_getsize(const struct hypfs_entry *entry)
+unsigned int cf_check hypfs_getsize(const struct hypfs_entry *entry)
{
return entry->size;
}
@@ -396,7 +395,7 @@ int hypfs_read_dyndir_id_entry(const struct hypfs_entry_dir
*template,
return 0;
}
-static const struct hypfs_entry *hypfs_dyndir_enter(
+static const struct hypfs_entry *cf_check hypfs_dyndir_enter(
const struct hypfs_entry *entry)
{
const struct hypfs_dyndir_id *data;
@@ -407,7 +406,7 @@ static const struct hypfs_entry *hypfs_dyndir_enter(
return data->template->e.funcs->enter(&data->template->e);
}
-static struct hypfs_entry *hypfs_dyndir_findentry(
+static struct hypfs_entry *cf_check hypfs_dyndir_findentry(
const struct hypfs_entry_dir *dir, const char *name, unsigned int name_len)
{
const struct hypfs_dyndir_id *data;
@@ -418,8 +417,8 @@ static struct hypfs_entry *hypfs_dyndir_findentry(
return data->template->e.funcs->findentry(data->template, name, name_len);
}
-static int hypfs_read_dyndir(const struct hypfs_entry *entry,
- XEN_GUEST_HANDLE_PARAM(void) uaddr)
+static int cf_check hypfs_read_dyndir(
+ const struct hypfs_entry *entry, XEN_GUEST_HANDLE_PARAM(void) uaddr)
{
const struct hypfs_dyndir_id *data;
@@ -463,8 +462,8 @@ unsigned int hypfs_dynid_entry_size(const struct
hypfs_entry *template,
return DIRENTRY_SIZE(snprintf(NULL, 0, template->name, id));
}
-int hypfs_read_dir(const struct hypfs_entry *entry,
- XEN_GUEST_HANDLE_PARAM(void) uaddr)
+int cf_check hypfs_read_dir(const struct hypfs_entry *entry,
+ XEN_GUEST_HANDLE_PARAM(void) uaddr)
{
const struct hypfs_entry_dir *d;
const struct hypfs_entry *e;
@@ -510,8 +509,8 @@ int hypfs_read_dir(const struct hypfs_entry *entry,
return 0;
}
-int hypfs_read_leaf(const struct hypfs_entry *entry,
- XEN_GUEST_HANDLE_PARAM(void) uaddr)
+int cf_check hypfs_read_leaf(
+ const struct hypfs_entry *entry, XEN_GUEST_HANDLE_PARAM(void) uaddr)
{
const struct hypfs_entry_leaf *l;
unsigned int size = entry->funcs->getsize(entry);
@@ -555,9 +554,9 @@ static int hypfs_read(const struct hypfs_entry *entry,
return ret;
}
-int hypfs_write_leaf(struct hypfs_entry_leaf *leaf,
- XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
- unsigned int ulen)
+int cf_check hypfs_write_leaf(
+ struct hypfs_entry_leaf *leaf, XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
+ unsigned int ulen)
{
char *buf;
int ret;
@@ -596,9 +595,9 @@ int hypfs_write_leaf(struct hypfs_entry_leaf *leaf,
return ret;
}
-int hypfs_write_bool(struct hypfs_entry_leaf *leaf,
- XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
- unsigned int ulen)
+int cf_check hypfs_write_bool(
+ struct hypfs_entry_leaf *leaf, XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
+ unsigned int ulen)
{
bool buf;
@@ -618,9 +617,9 @@ int hypfs_write_bool(struct hypfs_entry_leaf *leaf,
return 0;
}
-int hypfs_write_custom(struct hypfs_entry_leaf *leaf,
- XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
- unsigned int ulen)
+int cf_check hypfs_write_custom(
+ struct hypfs_entry_leaf *leaf, XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
+ unsigned int ulen)
{
struct param_hypfs *p;
char *buf;
@@ -653,9 +652,9 @@ int hypfs_write_custom(struct hypfs_entry_leaf *leaf,
return ret;
}
-int hypfs_write_deny(struct hypfs_entry_leaf *leaf,
- XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
- unsigned int ulen)
+int cf_check hypfs_write_deny(
+ struct hypfs_entry_leaf *leaf, XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
+ unsigned int ulen)
{
return -EACCES;
}
diff --git a/xen/common/sched/cpupool.c b/xen/common/sched/cpupool.c
index b9d4babd0d..07f984a659 100644
--- a/xen/common/sched/cpupool.c
+++ b/xen/common/sched/cpupool.c
@@ -1026,8 +1026,8 @@ static struct notifier_block cpu_nfb = {
static HYPFS_DIR_INIT(cpupool_pooldir, "%u");
-static int cpupool_dir_read(const struct hypfs_entry *entry,
- XEN_GUEST_HANDLE_PARAM(void) uaddr)
+static int cf_check cpupool_dir_read(
+ const struct hypfs_entry *entry, XEN_GUEST_HANDLE_PARAM(void) uaddr)
{
int ret = 0;
struct cpupool *c;
@@ -1050,7 +1050,8 @@ static int cpupool_dir_read(const struct hypfs_entry
*entry,
return ret;
}
-static unsigned int cpupool_dir_getsize(const struct hypfs_entry *entry)
+static unsigned int cf_check cpupool_dir_getsize(
+ const struct hypfs_entry *entry)
{
const struct cpupool *c;
unsigned int size = 0;
@@ -1061,7 +1062,7 @@ static unsigned int cpupool_dir_getsize(const struct
hypfs_entry *entry)
return size;
}
-static const struct hypfs_entry *cpupool_dir_enter(
+static const struct hypfs_entry *cf_check cpupool_dir_enter(
const struct hypfs_entry *entry)
{
struct hypfs_dyndir_id *data;
@@ -1076,14 +1077,14 @@ static const struct hypfs_entry *cpupool_dir_enter(
return entry;
}
-static void cpupool_dir_exit(const struct hypfs_entry *entry)
+static void cf_check cpupool_dir_exit(const struct hypfs_entry *entry)
{
spin_unlock(&cpupool_lock);
hypfs_free_dyndata();
}
-static struct hypfs_entry *cpupool_dir_findentry(
+static struct hypfs_entry *cf_check cpupool_dir_findentry(
const struct hypfs_entry_dir *dir, const char *name, unsigned int name_len)
{
unsigned long id;
@@ -1102,8 +1103,8 @@ static struct hypfs_entry *cpupool_dir_findentry(
return hypfs_gen_dyndir_id_entry(&cpupool_pooldir, id, cpupool);
}
-static int cpupool_gran_read(const struct hypfs_entry *entry,
- XEN_GUEST_HANDLE_PARAM(void) uaddr)
+static int cf_check cpupool_gran_read(
+ const struct hypfs_entry *entry, XEN_GUEST_HANDLE_PARAM(void) uaddr)
{
const struct hypfs_dyndir_id *data;
const struct cpupool *cpupool;
@@ -1121,7 +1122,7 @@ static int cpupool_gran_read(const struct hypfs_entry
*entry,
return copy_to_guest(uaddr, gran, strlen(gran) + 1) ? -EFAULT : 0;
}
-static unsigned int hypfs_gran_getsize(const struct hypfs_entry *entry)
+static unsigned int cf_check hypfs_gran_getsize(const struct hypfs_entry
*entry)
{
const struct hypfs_dyndir_id *data;
const struct cpupool *cpupool;
@@ -1136,9 +1137,9 @@ static unsigned int hypfs_gran_getsize(const struct
hypfs_entry *entry)
return strlen(gran) + 1;
}
-static int cpupool_gran_write(struct hypfs_entry_leaf *leaf,
- XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
- unsigned int ulen)
+static int cf_check cpupool_gran_write(
+ struct hypfs_entry_leaf *leaf, XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
+ unsigned int ulen)
{
const struct hypfs_dyndir_id *data;
struct cpupool *cpupool;
diff --git a/xen/include/xen/hypfs.h b/xen/include/xen/hypfs.h
index e9d4c2555b..1b65a9188c 100644
--- a/xen/include/xen/hypfs.h
+++ b/xen/include/xen/hypfs.h
@@ -168,31 +168,30 @@ void hypfs_add_dyndir(struct hypfs_entry_dir *parent,
struct hypfs_entry_dir *template);
int hypfs_add_leaf(struct hypfs_entry_dir *parent,
struct hypfs_entry_leaf *leaf, bool nofault);
-const struct hypfs_entry *hypfs_node_enter(const struct hypfs_entry *entry);
-void hypfs_node_exit(const struct hypfs_entry *entry);
-int hypfs_read_dir(const struct hypfs_entry *entry,
- XEN_GUEST_HANDLE_PARAM(void) uaddr);
-int hypfs_read_leaf(const struct hypfs_entry *entry,
- XEN_GUEST_HANDLE_PARAM(void) uaddr);
-int hypfs_write_deny(struct hypfs_entry_leaf *leaf,
- XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
- unsigned int ulen);
-int hypfs_write_leaf(struct hypfs_entry_leaf *leaf,
- XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
- unsigned int ulen);
-int hypfs_write_bool(struct hypfs_entry_leaf *leaf,
- XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
- unsigned int ulen);
-int hypfs_write_custom(struct hypfs_entry_leaf *leaf,
- XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
- unsigned int ulen);
-unsigned int hypfs_getsize(const struct hypfs_entry *entry);
-struct hypfs_entry *hypfs_leaf_findentry(const struct hypfs_entry_dir *dir,
- const char *name,
- unsigned int name_len);
-struct hypfs_entry *hypfs_dir_findentry(const struct hypfs_entry_dir *dir,
- const char *name,
- unsigned int name_len);
+const struct hypfs_entry *cf_check hypfs_node_enter(
+ const struct hypfs_entry *entry);
+void cf_check hypfs_node_exit(const struct hypfs_entry *entry);
+int cf_check hypfs_read_dir(const struct hypfs_entry *entry,
+ XEN_GUEST_HANDLE_PARAM(void) uaddr);
+int cf_check hypfs_read_leaf(const struct hypfs_entry *entry,
+ XEN_GUEST_HANDLE_PARAM(void) uaddr);
+int cf_check hypfs_write_deny(struct hypfs_entry_leaf *leaf,
+ XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
+ unsigned int ulen);
+int cf_check hypfs_write_leaf(struct hypfs_entry_leaf *leaf,
+ XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
+ unsigned int ulen);
+int cf_check hypfs_write_bool(struct hypfs_entry_leaf *leaf,
+ XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
+ unsigned int ulen);
+int cf_check hypfs_write_custom(struct hypfs_entry_leaf *leaf,
+ XEN_GUEST_HANDLE_PARAM(const_void) uaddr,
+ unsigned int ulen);
+unsigned int cf_check hypfs_getsize(const struct hypfs_entry *entry);
+struct hypfs_entry *cf_check hypfs_leaf_findentry(
+ const struct hypfs_entry_dir *dir, const char *name, unsigned int
name_len);
+struct hypfs_entry *cf_check hypfs_dir_findentry(
+ const struct hypfs_entry_dir *dir, const char *name, unsigned int
name_len);
void *hypfs_alloc_dyndata(unsigned long size);
#define hypfs_alloc_dyndata(type) ((type *)hypfs_alloc_dyndata(sizeof(type)))
void *hypfs_get_dyndata(void);
--
generated by git-patchbot for /home/xen/git/xen.git#staging
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |