|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [xen-unstable bisection] complete build-armhf
branch xen-unstable
xen branch xen-unstable
job build-armhf
test xen-build
Tree: qemuu git://xenbits.xen.org/staging/qemu-upstream-unstable.git
Tree: xen git://xenbits.xen.org/xen.git
*** Found and reproduced problem changeset ***
Bug is in tree: xen git://xenbits.xen.org/xen.git
Bug introduced: 65808a8ed41cc7c044f588bd6cab5af0fdc0e029
Bug not present: 04877847ade4ac9216e9f408fd544ade8f90cf9a
commit 65808a8ed41cc7c044f588bd6cab5af0fdc0e029
Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Date: Fri Jun 14 16:39:36 2013 +0100
libelf: check all pointer accesses
We change the ELF_PTRVAL and ELF_HANDLE types and associated macros:
* PTRVAL becomes a uintptr_t, for which we provide a typedef
elf_ptrval. This means no arithmetic done on it can overflow so
the compiler cannot do any malicious invalid pointer arithmetic
"optimisations". It also means that any places where we
dereference one of these pointers without using the appropriate
macros or functions become a compilation error.
So we can be sure that we won't miss any memory accesses.
All the PTRVAL variables were previously void* or char*, so
the actual address calculations are unchanged.
* ELF_HANDLE becomes a union, one half of which keeps the pointer
value and the other half of which is just there to record the
type.
The new type is not a pointer type so there can be no address
calculations on it whose meaning would change. Every assignment or
access has to go through one of our macros.
* The distinction between const and non-const pointers and char*s
and void*s in libelf goes away. This was not important (and
anyway libelf tended to cast away const in various places).
* The fields elf->image and elf->dest are renamed. That proves
that we haven't missed any unchecked uses of these actual
pointer values.
* The caller may fill in elf->caller_xdest_base and _size to
specify another range of memory which is safe for libelf to
access, besides the input and output images.
* When accesses fail due to being out of range, we mark the elf
"broken". This will be checked and used for diagnostics in
a following patch.
We do not check for write accesses to the input image. This is
because libelf actually does this in a number of places. So we
simply permit that.
* Each caller of libelf which used to set dest now sets
dest_base and dest_size.
* In xc_dom_load_elf_symtab we provide a new actual-pointer
value hdr_ptr which we get from mapping the guest's kernel
area and use (checking carefully) as the caller_xdest area.
* The STAR(h) macro in libelf-dominfo.c now uses elf_access_unsigned.
* elf-init uses the new elf_uval_3264 accessor to access the 32-bit
fields, rather than an unchecked field access (ie, unchecked
pointer access).
* elf_uval has been reworked to use elf_uval_3264. Both of these
macros are essentially new in this patch (although they are derived
from the old elf_uval) and need careful review.
* ELF_ADVANCE_DEST is now safe in the sense that you can use it to
chop parts off the front of the dest area but if you chop more than
is available, the dest area is simply set to be empty, preventing
future accesses.
* We introduce some #defines for memcpy, memset, memmove and strcpy:
- We provide elf_memcpy_safe and elf_memset_safe which take
PTRVALs and do checking on the supplied pointers.
- Users inside libelf must all be changed to either
elf_mem*_unchecked (which are just like mem*), or
elf_mem*_safe (which take PTRVALs) and are checked. Any
unchanged call sites become compilation errors.
* We do _not_ at this time fix elf_access_unsigned so that it doesn't
make unaligned accesses. We hope that unaligned accesses are OK on
every supported architecture. But it does check the supplied
pointer for validity.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
v7: Remove a spurious whitespace change.
v5: Use allow_size value from xc_dom_vaddr_to_ptr to set xdest_size
correctly.
If ELF_ADVANCE_DEST advances past the end, mark the elf broken.
Always regard NULL allowable region pointers (e.g. dest_base)
as invalid (since NULL pointers don't point anywhere).
v4: Fix ELF_UNSAFE_PTR to work on 32-bit even when provided 64-bit
values.
Fix xc_dom_load_elf_symtab not to call XC_DOM_PAGE_SIZE
unnecessarily if load is false. This was a regression.
v3.1:
Introduce a change to elf_store_field to undo the effects of
the v3.1 change to the previous patch (the definition there
is not compatible with the new types).
v3: Fix a whitespace error.
v2 was Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
v2: BUGFIX: elf_strval: Fix loop termination condition to actually work.
BUGFIX: elf_strval: Fix return value to not always be totally wild.
BUGFIX: xc_dom_load_elf_symtab: do proper check for small header size.
xc_dom_load_elf_symtab: narrow scope of `hdr_ptr'.
xc_dom_load_elf_symtab: split out uninit'd symtab.class ref fix.
More comments on the lifetime/validity of elf-> dest ptrs etc.
libelf.h: write "obsolete" out in full
libelf.h: rename "dontuse" to "typeonly" and add doc comment
elf_ptrval_in_range: Document trustedness of arguments.
Style and commit message fixes.
For bisection revision-tuple graph see:
http://www.chiark.greenend.org.uk/~xensrcts/results/bisect.xen-unstable.build-armhf.xen-build.html
Revision IDs in each graph node refer, respectively, to the Trees above.
----------------------------------------
Searching for failure / basis pass:
18125 fail [host=army] / 18114 ok.
Failure / basis pass flights: 18125 / 18114
Tree: qemuu git://xenbits.xen.org/staging/qemu-upstream-unstable.git
Tree: xen git://xenbits.xen.org/xen.git
Latest 79c097d5fe7cb0b4788ed509240cde7e210650bf
82cb4113b6ace16de192021de20f6cbd991e478f
Basis pass 79c097d5fe7cb0b4788ed509240cde7e210650bf
2caac1caa19bdaeb9ab14b2baf1342e00c4d0495
Generating revisions with ./adhoc-revtuple-generator
git://xenbits.xen.org/staging/qemu-upstream-unstable.git#79c097d5fe7cb0b4788ed509240cde7e210650bf-79c097d5fe7cb0b4788ed509240cde7e210650bf
git://xenbits.xen.org/xen.git#2caac1caa19bdaeb9ab14b2baf1342e00c4d0495-82cb4113b6ace16de192021de20f6cbd991e478f
using cache /export/home/osstest/repos/git-cache...
using cache /export/home/osstest/repos/git-cache...
locked cache /export/home/osstest/repos/git-cache...
processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git
/export/home/osstest/repos/xen...
Initialized empty Git repository in /export/home/osstest/repos/xen/
updating cache /export/home/osstest/repos/git-cache xen...
using cache /export/home/osstest/repos/git-cache...
using cache /export/home/osstest/repos/git-cache...
locked cache /export/home/osstest/repos/git-cache...
processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git
/export/home/osstest/repos/xen...
Initialized empty Git repository in /export/home/osstest/repos/xen/
updating cache /export/home/osstest/repos/git-cache xen...
Loaded 1001 nodes in revision graph
Searching for test results:
18113 pass irrelevant
18114 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf
2caac1caa19bdaeb9ab14b2baf1342e00c4d0495
18125 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf
82cb4113b6ace16de192021de20f6cbd991e478f
18129 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf
2caac1caa19bdaeb9ab14b2baf1342e00c4d0495
18130 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf
82cb4113b6ace16de192021de20f6cbd991e478f
18131 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf
65808a8ed41cc7c044f588bd6cab5af0fdc0e029
18132 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf
13e2c808f7ea721c8f200062e2b9b977ee924471
18133 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf
85256359995587df00001dca22e9a76ba6ea8258
18134 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf
50421bd56bf164f490d7d0bf5741e58936de41e8
18135 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf
04877847ade4ac9216e9f408fd544ade8f90cf9a
18136 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf
65808a8ed41cc7c044f588bd6cab5af0fdc0e029
18137 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf
04877847ade4ac9216e9f408fd544ade8f90cf9a
18138 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf
65808a8ed41cc7c044f588bd6cab5af0fdc0e029
18139 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf
04877847ade4ac9216e9f408fd544ade8f90cf9a
18140 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf
65808a8ed41cc7c044f588bd6cab5af0fdc0e029
Searching for interesting versions
Result found: flight 18114 (pass), for basis pass
Result found: flight 18125 (fail), for basis failure
Repro found: flight 18129 (pass), for basis pass
Repro found: flight 18130 (fail), for basis failure
0 revisions at 79c097d5fe7cb0b4788ed509240cde7e210650bf
04877847ade4ac9216e9f408fd544ade8f90cf9a
No revisions left to test, checking graph state.
Result found: flight 18135 (pass), for last pass
Result found: flight 18136 (fail), for first failure
Repro found: flight 18137 (pass), for last pass
Repro found: flight 18138 (fail), for first failure
Repro found: flight 18139 (pass), for last pass
Repro found: flight 18140 (fail), for first failure
*** Found and reproduced problem changeset ***
Bug is in tree: xen git://xenbits.xen.org/xen.git
Bug introduced: 65808a8ed41cc7c044f588bd6cab5af0fdc0e029
Bug not present: 04877847ade4ac9216e9f408fd544ade8f90cf9a
using cache /export/home/osstest/repos/git-cache...
using cache /export/home/osstest/repos/git-cache...
locked cache /export/home/osstest/repos/git-cache...
processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git
/export/home/osstest/repos/xen...
Initialized empty Git repository in /export/home/osstest/repos/xen/
updating cache /export/home/osstest/repos/git-cache xen...
commit 65808a8ed41cc7c044f588bd6cab5af0fdc0e029
Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Date: Fri Jun 14 16:39:36 2013 +0100
libelf: check all pointer accesses
We change the ELF_PTRVAL and ELF_HANDLE types and associated macros:
* PTRVAL becomes a uintptr_t, for which we provide a typedef
elf_ptrval. This means no arithmetic done on it can overflow so
the compiler cannot do any malicious invalid pointer arithmetic
"optimisations". It also means that any places where we
dereference one of these pointers without using the appropriate
macros or functions become a compilation error.
So we can be sure that we won't miss any memory accesses.
All the PTRVAL variables were previously void* or char*, so
the actual address calculations are unchanged.
* ELF_HANDLE becomes a union, one half of which keeps the pointer
value and the other half of which is just there to record the
type.
The new type is not a pointer type so there can be no address
calculations on it whose meaning would change. Every assignment or
access has to go through one of our macros.
* The distinction between const and non-const pointers and char*s
and void*s in libelf goes away. This was not important (and
anyway libelf tended to cast away const in various places).
* The fields elf->image and elf->dest are renamed. That proves
that we haven't missed any unchecked uses of these actual
pointer values.
* The caller may fill in elf->caller_xdest_base and _size to
specify another range of memory which is safe for libelf to
access, besides the input and output images.
* When accesses fail due to being out of range, we mark the elf
"broken". This will be checked and used for diagnostics in
a following patch.
We do not check for write accesses to the input image. This is
because libelf actually does this in a number of places. So we
simply permit that.
* Each caller of libelf which used to set dest now sets
dest_base and dest_size.
* In xc_dom_load_elf_symtab we provide a new actual-pointer
value hdr_ptr which we get from mapping the guest's kernel
area and use (checking carefully) as the caller_xdest area.
* The STAR(h) macro in libelf-dominfo.c now uses elf_access_unsigned.
* elf-init uses the new elf_uval_3264 accessor to access the 32-bit
fields, rather than an unchecked field access (ie, unchecked
pointer access).
* elf_uval has been reworked to use elf_uval_3264. Both of these
macros are essentially new in this patch (although they are derived
from the old elf_uval) and need careful review.
* ELF_ADVANCE_DEST is now safe in the sense that you can use it to
chop parts off the front of the dest area but if you chop more than
is available, the dest area is simply set to be empty, preventing
future accesses.
* We introduce some #defines for memcpy, memset, memmove and strcpy:
- We provide elf_memcpy_safe and elf_memset_safe which take
PTRVALs and do checking on the supplied pointers.
- Users inside libelf must all be changed to either
elf_mem*_unchecked (which are just like mem*), or
elf_mem*_safe (which take PTRVALs) and are checked. Any
unchanged call sites become compilation errors.
* We do _not_ at this time fix elf_access_unsigned so that it doesn't
make unaligned accesses. We hope that unaligned accesses are OK on
every supported architecture. But it does check the supplied
pointer for validity.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
v7: Remove a spurious whitespace change.
v5: Use allow_size value from xc_dom_vaddr_to_ptr to set xdest_size
correctly.
If ELF_ADVANCE_DEST advances past the end, mark the elf broken.
Always regard NULL allowable region pointers (e.g. dest_base)
as invalid (since NULL pointers don't point anywhere).
v4: Fix ELF_UNSAFE_PTR to work on 32-bit even when provided 64-bit
values.
Fix xc_dom_load_elf_symtab not to call XC_DOM_PAGE_SIZE
unnecessarily if load is false. This was a regression.
v3.1:
Introduce a change to elf_store_field to undo the effects of
the v3.1 change to the previous patch (the definition there
is not compatible with the new types).
v3: Fix a whitespace error.
v2 was Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
v2: BUGFIX: elf_strval: Fix loop termination condition to actually work.
BUGFIX: elf_strval: Fix return value to not always be totally wild.
BUGFIX: xc_dom_load_elf_symtab: do proper check for small header size.
xc_dom_load_elf_symtab: narrow scope of `hdr_ptr'.
xc_dom_load_elf_symtab: split out uninit'd symtab.class ref fix.
More comments on the lifetime/validity of elf-> dest ptrs etc.
libelf.h: write "obsolete" out in full
libelf.h: rename "dontuse" to "typeonly" and add doc comment
elf_ptrval_in_range: Document trustedness of arguments.
Style and commit message fixes.
Revision graph left in
/home/xc_osstest/results/bisect.xen-unstable.build-armhf.xen-build.{dot,ps,png,html}.
----------------------------------------
18140: tolerable ALL FAIL
flight 18140 xen-unstable real-bisect [real]
http://www.chiark.greenend.org.uk/~xensrcts/logs/18140/
Failures :-/ but no regressions.
Tests which did not succeed,
including tests which could not be run:
build-armhf 4 xen-build fail baseline untested
jobs:
build-armhf fail
------------------------------------------------------------
sg-report-flight on woking.cam.xci-test.com
logs: /home/xc_osstest/logs
images: /home/xc_osstest/images
Logs, config files, etc. are available at
http://www.chiark.greenend.org.uk/~xensrcts/logs
Test harness code can be found at
http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |