[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] trace security fixes
Jan, Thanks for your work in this. Could you please break this patch down into its component changes (described in the list below) so that I can review, discuss, and ack/nack components individually? (And so they show up as individual changesets when someone's doing archeology...) So far I agree with the following changes: > - there's no need to share writably the t_info pages (Dom0 only wants > [and needs] to read it) > - T_INFO_FIRST_OFFSET wasn't defined correctly, thus allowing in the > num_online_cpus() == NR_CPUS case to pass a corrupted MFN to Dom0 > - printk()-s should be lower level or rate limited But probably disagree with this one: > - the hypervisor should not rely on any specific state of the actual > trace buffer (as it is shared writable with Dom0) And would like to be able to see the impact of following more clearly (i.e., in separate patches): > - check_tbuf_size() didn't consider the case of the incoming size not > allowing for the 2*data_size range for t_buf->{prod,cons} > To make clear what purpose specific variables have and/or where they > got loaded from, the patch also changes the type of some of them to > be explicitly u32/s32, and removes pointless assertions (like checking > an unsigned variable to be >= 0). > > I also took the prototype adjustment of __trace_var() as an opportunity > to simplify the TRACE_xD() macros. Similar simplification could be done > on the (quite numerous) direct callers of the function. Thanks again, -George > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxxxx> > > --- 2010-06-15.orig/tools/xenmon/xenbaked.c 2010-06-01 13:39:57.000000000 > +0200 > +++ 2010-06-15/tools/xenmon/xenbaked.c 2010-06-28 10:23:01.000000000 +0200 > @@ -84,7 +84,7 @@ typedef struct settings_st { > } settings_t; > > struct t_struct { > - struct t_info *t_info; /* Structure with information about individual > buffers */ > + const struct t_info *t_info; /* Structure with information about > individual buffers */ > struct t_buf **meta; /* Pointers to trace buffer metadata */ > unsigned char **data; /* Pointers to trace buffer data areas */ > }; > @@ -376,9 +376,8 @@ static struct t_struct *map_tbufs(unsign > } > > /* Map t_info metadata structure */ > - tbufs.t_info = xc_map_foreign_range(xc_handle, DOMID_XEN, > - tinfo_size, PROT_READ | PROT_WRITE, > - tbufs_mfn); > + tbufs.t_info = xc_map_foreign_range(xc_handle, DOMID_XEN, tinfo_size, > + PROT_READ, tbufs_mfn); > > if ( tbufs.t_info == 0 ) > { > @@ -404,7 +403,8 @@ static struct t_struct *map_tbufs(unsign > for(i=0; i<num; i++) > { > > - uint32_t *mfn_list = ((uint32_t *)tbufs.t_info) + > tbufs.t_info->mfn_offset[i]; > + const uint32_t *mfn_list = (const uint32_t *)tbufs.t_info > + + tbufs.t_info->mfn_offset[i]; > int j; > xen_pfn_t pfn_list[tbufs.t_info->tbuf_size]; > > --- 2010-06-15.orig/tools/xentrace/xentrace.c 2010-06-01 13:39:57.000000000 > +0200 > +++ 2010-06-15/tools/xentrace/xentrace.c 2010-06-28 10:23:26.000000000 > +0200 > @@ -63,7 +63,7 @@ typedef struct settings_st { > } settings_t; > > struct t_struct { > - struct t_info *t_info; /* Structure with information about individual > buffers */ > + const struct t_info *t_info; /* Structure with information about > individual buffers */ > struct t_buf **meta; /* Pointers to trace buffer metadata */ > unsigned char **data; /* Pointers to trace buffer data areas */ > }; > @@ -475,9 +475,8 @@ static struct t_struct *map_tbufs(unsign > int i; > > /* Map t_info metadata structure */ > - tbufs.t_info = xc_map_foreign_range(xc_handle, DOMID_XEN, > - tinfo_size, PROT_READ | PROT_WRITE, > - tbufs_mfn); > + tbufs.t_info = xc_map_foreign_range(xc_handle, DOMID_XEN, tinfo_size, > + PROT_READ, tbufs_mfn); > > if ( tbufs.t_info == 0 ) > { > @@ -503,7 +502,8 @@ static struct t_struct *map_tbufs(unsign > for(i=0; i<num; i++) > { > > - uint32_t *mfn_list = ((uint32_t *)tbufs.t_info) + > tbufs.t_info->mfn_offset[i]; > + const uint32_t *mfn_list = (const uint32_t *)tbufs.t_info > + + tbufs.t_info->mfn_offset[i]; > int j; > xen_pfn_t pfn_list[tbufs.t_info->tbuf_size]; > > --- 2010-06-15.orig/xen/common/trace.c 2010-06-28 09:43:58.000000000 +0200 > +++ 2010-06-15/xen/common/trace.c 2010-06-28 11:58:37.000000000 +0200 > @@ -51,15 +51,15 @@ static struct t_info *t_info; > #define T_INFO_PAGES 2 /* Size fixed at 2 pages for now. */ > #define T_INFO_SIZE ((T_INFO_PAGES)*(PAGE_SIZE)) > /* t_info.tbuf_size + list of mfn offsets + 1 to round up / sizeof uint32_t > */ > -#define T_INFO_FIRST_OFFSET ((sizeof(int16_t) + NR_CPUS * sizeof(int16_t) + > 1) / sizeof(uint32_t)) > -static DEFINE_PER_CPU_READ_MOSTLY(struct t_buf *, t_bufs); > +#define T_INFO_FIRST_OFFSET (((2 + NR_CPUS) * sizeof(uint16_t)) / > sizeof(uint32_t)) > +static DEFINE_PER_CPU_READ_MOSTLY(volatile struct t_buf *, t_bufs); > static DEFINE_PER_CPU_READ_MOSTLY(unsigned char *, t_data); > static DEFINE_PER_CPU_READ_MOSTLY(spinlock_t, t_lock); > -static int data_size; > +static u32 data_size; > > /* High water mark for trace buffers; */ > /* Send virtual interrupt when buffer level reaches this point */ > -static int t_buf_highwater; > +static u32 t_buf_highwater; > > /* Number of records lost due to per-CPU trace buffer being full. */ > static DEFINE_PER_CPU(unsigned long, lost_records); > @@ -77,11 +77,16 @@ static u32 tb_event_mask = TRC_ALL; > > /** > * check_tbuf_size - check to make sure that the proposed size will fit > - * in the currently sized struct t_info. > + * in the currently sized struct t_info and allows prod and cons to > + * reach double the value without overflow. > */ > -static inline int check_tbuf_size(int size) > +static int check_tbuf_size(u32 pages) > { > - return (num_online_cpus() * size + T_INFO_FIRST_OFFSET) > (T_INFO_SIZE / > sizeof(uint32_t)); > + u32 size = pages * PAGE_SIZE; > + > + return (size / PAGE_SIZE != pages) || (size + size < size) || > + (num_online_cpus() * pages + T_INFO_FIRST_OFFSET > > + T_INFO_SIZE / sizeof(uint32_t)); > } > > /** > @@ -115,7 +120,7 @@ static int alloc_trace_bufs(void) > } > > t_info->tbuf_size = opt_tbuf_size; > - printk("tbuf_size %d\n", t_info->tbuf_size); > + printk(XENLOG_INFO "tbuf_size %d\n", t_info->tbuf_size); > > nr_pages = opt_tbuf_size; > order = get_order_from_pages(nr_pages); > @@ -139,7 +144,7 @@ static int alloc_trace_bufs(void) > > spin_lock_irqsave(&per_cpu(t_lock, cpu), flags); > > - buf = per_cpu(t_bufs, cpu) = (struct t_buf *)rawbuf; > + per_cpu(t_bufs, cpu) = buf = (struct t_buf *)rawbuf; > buf->cons = buf->prod = 0; > per_cpu(t_data, cpu) = (unsigned char *)(buf + 1); > > @@ -171,7 +176,7 @@ static int alloc_trace_bufs(void) > /* Write list first, then write per-cpu offset. */ > wmb(); > t_info->mfn_offset[cpu]=offset; > - printk("p%d mfn %"PRIx32" offset %d\n", > + printk(XENLOG_INFO "p%d mfn %"PRIx32" offset %d\n", > cpu, mfn, offset); > offset+=i; > } > @@ -190,6 +195,7 @@ out_dealloc: > spin_lock_irqsave(&per_cpu(t_lock, cpu), flags); > if ( (rawbuf = (char *)per_cpu(t_bufs, cpu)) ) > { > + per_cpu(t_bufs, cpu) = NULL; > ASSERT(!(virt_to_page(rawbuf)->count_info & PGC_allocated)); > free_xenheap_pages(rawbuf, order); > } > @@ -308,7 +314,7 @@ void __init init_trace_bufs(void) > > for(i=0; i<T_INFO_PAGES; i++) > share_xen_page_with_privileged_guests( > - virt_to_page(t_info) + i, XENSHARE_writable); > + virt_to_page(t_info) + i, XENSHARE_readonly); > > if ( opt_tbuf_size == 0 ) > { > @@ -404,19 +410,37 @@ int tb_control(xen_sysctl_tbuf_op_t *tbc > return rc; > } > > -static inline int calc_rec_size(int cycles, int extra) > +static inline unsigned int calc_rec_size(bool_t cycles, unsigned int extra) > { > - int rec_size; > - rec_size = 4; > + unsigned int rec_size = 4; > + > if ( cycles ) > rec_size += 8; > rec_size += extra; > return rec_size; > } > > -static inline int calc_unconsumed_bytes(struct t_buf *buf) > +static inline bool_t bogus(u32 prod, u32 cons) > +{ > + if ( unlikely(prod & 3) || unlikely(prod >= 2 * data_size) || > + unlikely(cons & 3) || unlikely(cons >= 2 * data_size) ) > + { > + tb_init_done = 0; > + printk(XENLOG_WARNING "trc#%u: bogus prod (%08x) and/or cons > (%08x)\n", > + smp_processor_id(), prod, cons); > + return 1; > + } > + return 0; > +} > + > +static inline u32 calc_unconsumed_bytes(const volatile struct t_buf *buf) > { > - int x = buf->prod - buf->cons; > + u32 prod = buf->prod, cons = buf->cons; > + s32 x = prod - cons; > + > + if ( bogus(prod, cons) ) > + return data_size; > + > if ( x < 0 ) > x += 2*data_size; > > @@ -426,9 +450,14 @@ static inline int calc_unconsumed_bytes( > return x; > } > > -static inline int calc_bytes_to_wrap(struct t_buf *buf) > +static inline u32 calc_bytes_to_wrap(const volatile struct t_buf *buf) > { > - int x = data_size - buf->prod; > + u32 prod = buf->prod; > + s32 x = data_size - prod; > + > + if ( bogus(prod, buf->cons) ) > + return 0; > + > if ( x <= 0 ) > x += data_size; > > @@ -438,35 +467,37 @@ static inline int calc_bytes_to_wrap(str > return x; > } > > -static inline int calc_bytes_avail(struct t_buf *buf) > +static inline u32 calc_bytes_avail(const volatile struct t_buf *buf) > { > return data_size - calc_unconsumed_bytes(buf); > } > > -static inline struct t_rec * > -next_record(struct t_buf *buf) > +static inline struct t_rec *next_record(const volatile struct t_buf *buf) > { > - int x = buf->prod; > + u32 x = buf->prod; > + > + if ( !tb_init_done || bogus(x, buf->cons) ) > + return NULL; > + > if ( x >= data_size ) > x -= data_size; > > - ASSERT(x >= 0); > ASSERT(x < data_size); > > return (struct t_rec *)&this_cpu(t_data)[x]; > } > > -static inline int __insert_record(struct t_buf *buf, > - unsigned long event, > - int extra, > - int cycles, > - int rec_size, > - unsigned char *extra_data) > +static inline void __insert_record(volatile struct t_buf *buf, > + unsigned long event, > + unsigned int extra, > + bool_t cycles, > + unsigned int rec_size, > + const void *extra_data) > { > struct t_rec *rec; > unsigned char *dst; > - unsigned long extra_word = extra/sizeof(u32); > - int local_rec_size = calc_rec_size(cycles, extra); > + unsigned int extra_word = extra / sizeof(u32); > + unsigned int local_rec_size = calc_rec_size(cycles, extra); > uint32_t next; > > BUG_ON(local_rec_size != rec_size); > @@ -475,17 +506,20 @@ static inline int __insert_record(struct > /* Double-check once more that we have enough space. > * Don't bugcheck here, in case the userland tool is doing > * something stupid. */ > - if ( calc_bytes_avail(buf) < rec_size ) > + next = calc_bytes_avail(buf); > + if ( next < rec_size ) > { > - printk("%s: %u bytes left (%u - ((%u - %u) %% %u) recsize %u.\n", > - __func__, > - calc_bytes_avail(buf), > - data_size, buf->prod, buf->cons, data_size, rec_size); > - return 0; > + if ( printk_ratelimit() ) > + printk(XENLOG_WARNING > + "%s: avail=%u (size=%08x prod=%08x cons=%08x) rec=%u\n", > + __func__, next, data_size, buf->prod, buf->cons, > rec_size); > + return; > } > rmb(); > > rec = next_record(buf); > + if ( !rec ) > + return; > rec->event = event; > rec->extra_u32 = extra_word; > dst = (unsigned char *)rec->u.nocycles.extra_u32; > @@ -502,21 +536,22 @@ static inline int __insert_record(struct > > wmb(); > > - next = buf->prod + rec_size; > + next = buf->prod; > + if ( bogus(next, buf->cons) ) > + return; > + next += rec_size; > if ( next >= 2*data_size ) > next -= 2*data_size; > - ASSERT(next >= 0); > ASSERT(next < 2*data_size); > buf->prod = next; > - > - return rec_size; > } > > -static inline int insert_wrap_record(struct t_buf *buf, int size) > +static inline void insert_wrap_record(volatile struct t_buf *buf, > + unsigned int size) > { > - int space_left = calc_bytes_to_wrap(buf); > - unsigned long extra_space = space_left - sizeof(u32); > - int cycles = 0; > + u32 space_left = calc_bytes_to_wrap(buf); > + unsigned int extra_space = space_left - sizeof(u32); > + bool_t cycles = 0; > > BUG_ON(space_left > size); > > @@ -528,17 +563,13 @@ static inline int insert_wrap_record(str > ASSERT((extra_space/sizeof(u32)) <= TRACE_EXTRA_MAX); > } > > - return __insert_record(buf, > - TRC_TRACE_WRAP_BUFFER, > - extra_space, > - cycles, > - space_left, > - NULL); > + __insert_record(buf, TRC_TRACE_WRAP_BUFFER, extra_space, cycles, > + space_left, NULL); > } > > #define LOST_REC_SIZE (4 + 8 + 16) /* header + tsc + sizeof(struct ed) */ > > -static inline int insert_lost_records(struct t_buf *buf) > +static inline void insert_lost_records(volatile struct t_buf *buf) > { > struct { > u32 lost_records; > @@ -553,12 +584,8 @@ static inline int insert_lost_records(st > > this_cpu(lost_records) = 0; > > - return __insert_record(buf, > - TRC_LOST_RECORDS, > - sizeof(ed), > - 1 /* cycles */, > - LOST_REC_SIZE, > - (unsigned char *)&ed); > + __insert_record(buf, TRC_LOST_RECORDS, sizeof(ed), 1 /* cycles */, > + LOST_REC_SIZE, &ed); > } > > /* > @@ -580,13 +607,15 @@ static DECLARE_TASKLET(trace_notify_dom0 > * failure, otherwise 0. Failure occurs only if the trace buffers are not yet > * initialised. > */ > -void __trace_var(u32 event, int cycles, int extra, unsigned char *extra_data) > +void __trace_var(u32 event, bool_t cycles, unsigned int extra, > + const void *extra_data) > { > - struct t_buf *buf; > - unsigned long flags, bytes_to_tail, bytes_to_wrap; > - int rec_size, total_size; > - int extra_word; > - int started_below_highwater = 0; > + volatile struct t_buf *buf; > + unsigned long flags; > + u32 bytes_to_tail, bytes_to_wrap; > + unsigned int rec_size, total_size; > + unsigned int extra_word; > + bool_t started_below_highwater; > > if( !tb_init_done ) > return; > @@ -619,13 +648,11 @@ void __trace_var(u32 event, int cycles, > > /* Read tb_init_done /before/ t_bufs. */ > rmb(); > - > - spin_lock_irqsave(&this_cpu(t_lock), flags); > - > buf = this_cpu(t_bufs); > - > if ( unlikely(!buf) ) > - goto unlock; > + return; > + > + spin_lock_irqsave(&this_cpu(t_lock), flags); > > started_below_highwater = (calc_unconsumed_bytes(buf) < t_buf_highwater); > > --- 2010-06-15.orig/xen/include/xen/trace.h 2010-06-28 09:43:58.000000000 > +0200 > +++ 2010-06-15/xen/include/xen/trace.h 2010-06-25 12:08:36.000000000 +0200 > @@ -36,7 +36,7 @@ int tb_control(struct xen_sysctl_tbuf_op > > int trace_will_trace_event(u32 event); > > -void __trace_var(u32 event, int cycles, int extra, unsigned char > *extra_data); > +void __trace_var(u32 event, bool_t cycles, unsigned int extra, const void *); > > static inline void trace_var(u32 event, int cycles, int extra, > unsigned char *extra_data) > @@ -57,7 +57,7 @@ static inline void trace_var(u32 event, > { \ > u32 _d[1]; \ > _d[0] = d1; \ > - __trace_var(_e, 1, sizeof(*_d), (unsigned char *)_d); \ > + __trace_var(_e, 1, sizeof(_d), _d); \ > } \ > } while ( 0 ) > > @@ -68,7 +68,7 @@ static inline void trace_var(u32 event, > u32 _d[2]; \ > _d[0] = d1; \ > _d[1] = d2; \ > - __trace_var(_e, 1, sizeof(*_d)*2, (unsigned char *)_d); \ > + __trace_var(_e, 1, sizeof(_d), _d); \ > } \ > } while ( 0 ) > > @@ -80,7 +80,7 @@ static inline void trace_var(u32 event, > _d[0] = d1; \ > _d[1] = d2; \ > _d[2] = d3; \ > - __trace_var(_e, 1, sizeof(*_d)*3, (unsigned char *)_d); \ > + __trace_var(_e, 1, sizeof(_d), _d); \ > } \ > } while ( 0 ) > > @@ -93,7 +93,7 @@ static inline void trace_var(u32 event, > _d[1] = d2; \ > _d[2] = d3; \ > _d[3] = d4; \ > - __trace_var(_e, 1, sizeof(*_d)*4, (unsigned char *)_d); \ > + __trace_var(_e, 1, sizeof(_d), _d); \ > } \ > } while ( 0 ) > > @@ -107,7 +107,7 @@ static inline void trace_var(u32 event, > _d[2] = d3; \ > _d[3] = d4; \ > _d[4] = d5; \ > - __trace_var(_e, 1, sizeof(*_d)*5, (unsigned char *)_d); \ > + __trace_var(_e, 1, sizeof(_d), _d); \ > } \ > } while ( 0 ) > > @@ -122,7 +122,7 @@ static inline void trace_var(u32 event, > _d[3] = d4; \ > _d[4] = d5; \ > _d[5] = d6; \ > - __trace_var(_e, 1, sizeof(*_d)*6, (unsigned char *)_d); \ > + __trace_var(_e, 1, sizeof(_d), _d); \ > } \ > } while ( 0 ) > > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-devel > > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |