[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [xen-unstable bisection] complete build-armhf



branch xen-unstable
xen branch xen-unstable
job build-armhf
test xen-build

Tree: qemuu git://xenbits.xen.org/staging/qemu-upstream-unstable.git
Tree: xen git://xenbits.xen.org/xen.git

*** Found and reproduced problem changeset ***

  Bug is in tree:  xen git://xenbits.xen.org/xen.git
  Bug introduced:  65808a8ed41cc7c044f588bd6cab5af0fdc0e029
  Bug not present: 04877847ade4ac9216e9f408fd544ade8f90cf9a


  commit 65808a8ed41cc7c044f588bd6cab5af0fdc0e029
  Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
  Date:   Fri Jun 14 16:39:36 2013 +0100
  
      libelf: check all pointer accesses
      
      We change the ELF_PTRVAL and ELF_HANDLE types and associated macros:
      
       * PTRVAL becomes a uintptr_t, for which we provide a typedef
         elf_ptrval.  This means no arithmetic done on it can overflow so
         the compiler cannot do any malicious invalid pointer arithmetic
         "optimisations".  It also means that any places where we
         dereference one of these pointers without using the appropriate
         macros or functions become a compilation error.
      
         So we can be sure that we won't miss any memory accesses.
      
         All the PTRVAL variables were previously void* or char*, so
         the actual address calculations are unchanged.
      
       * ELF_HANDLE becomes a union, one half of which keeps the pointer
         value and the other half of which is just there to record the
         type.
      
         The new type is not a pointer type so there can be no address
         calculations on it whose meaning would change.  Every assignment or
         access has to go through one of our macros.
      
       * The distinction between const and non-const pointers and char*s
         and void*s in libelf goes away.  This was not important (and
         anyway libelf tended to cast away const in various places).
      
       * The fields elf->image and elf->dest are renamed.  That proves
         that we haven't missed any unchecked uses of these actual
         pointer values.
      
       * The caller may fill in elf->caller_xdest_base and _size to
         specify another range of memory which is safe for libelf to
         access, besides the input and output images.
      
       * When accesses fail due to being out of range, we mark the elf
         "broken".  This will be checked and used for diagnostics in
         a following patch.
      
         We do not check for write accesses to the input image.  This is
         because libelf actually does this in a number of places.  So we
         simply permit that.
      
       * Each caller of libelf which used to set dest now sets
         dest_base and dest_size.
      
       * In xc_dom_load_elf_symtab we provide a new actual-pointer
         value hdr_ptr which we get from mapping the guest's kernel
         area and use (checking carefully) as the caller_xdest area.
      
       * The STAR(h) macro in libelf-dominfo.c now uses elf_access_unsigned.
      
       * elf-init uses the new elf_uval_3264 accessor to access the 32-bit
         fields, rather than an unchecked field access (ie, unchecked
         pointer access).
      
       * elf_uval has been reworked to use elf_uval_3264.  Both of these
         macros are essentially new in this patch (although they are derived
         from the old elf_uval) and need careful review.
      
       * ELF_ADVANCE_DEST is now safe in the sense that you can use it to
         chop parts off the front of the dest area but if you chop more than
         is available, the dest area is simply set to be empty, preventing
         future accesses.
      
       * We introduce some #defines for memcpy, memset, memmove and strcpy:
          - We provide elf_memcpy_safe and elf_memset_safe which take
            PTRVALs and do checking on the supplied pointers.
          - Users inside libelf must all be changed to either
            elf_mem*_unchecked (which are just like mem*), or
            elf_mem*_safe (which take PTRVALs) and are checked.  Any
            unchanged call sites become compilation errors.
      
       * We do _not_ at this time fix elf_access_unsigned so that it doesn't
         make unaligned accesses.  We hope that unaligned accesses are OK on
         every supported architecture.  But it does check the supplied
         pointer for validity.
      
      This is part of the fix to a security issue, XSA-55.
      
      Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
      Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
      
      v7: Remove a spurious whitespace change.
      
      v5: Use allow_size value from xc_dom_vaddr_to_ptr to set xdest_size
           correctly.
          If ELF_ADVANCE_DEST advances past the end, mark the elf broken.
          Always regard NULL allowable region pointers (e.g. dest_base)
           as invalid (since NULL pointers don't point anywhere).
      
      v4: Fix ELF_UNSAFE_PTR to work on 32-bit even when provided 64-bit
           values.
          Fix xc_dom_load_elf_symtab not to call XC_DOM_PAGE_SIZE
           unnecessarily if load is false.  This was a regression.
      
      v3.1:
          Introduce a change to elf_store_field to undo the effects of
           the v3.1 change to the previous patch (the definition there
           is not compatible with the new types).
      
      v3: Fix a whitespace error.
      
      v2 was Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
      
      v2: BUGFIX: elf_strval: Fix loop termination condition to actually work.
          BUGFIX: elf_strval: Fix return value to not always be totally wild.
          BUGFIX: xc_dom_load_elf_symtab: do proper check for small header size.
          xc_dom_load_elf_symtab: narrow scope of `hdr_ptr'.
          xc_dom_load_elf_symtab: split out uninit'd symtab.class ref fix.
          More comments on the lifetime/validity of elf-> dest ptrs etc.
          libelf.h: write "obsolete" out in full
          libelf.h: rename "dontuse" to "typeonly" and add doc comment
          elf_ptrval_in_range: Document trustedness of arguments.
          Style and commit message fixes.


For bisection revision-tuple graph see:
   
http://www.chiark.greenend.org.uk/~xensrcts/results/bisect.xen-unstable.build-armhf.xen-build.html
Revision IDs in each graph node refer, respectively, to the Trees above.

----------------------------------------
Searching for failure / basis pass:
 18125 fail [host=army] / 18114 ok.
Failure / basis pass flights: 18125 / 18114
Tree: qemuu git://xenbits.xen.org/staging/qemu-upstream-unstable.git
Tree: xen git://xenbits.xen.org/xen.git
Latest 79c097d5fe7cb0b4788ed509240cde7e210650bf 
82cb4113b6ace16de192021de20f6cbd991e478f
Basis pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 
2caac1caa19bdaeb9ab14b2baf1342e00c4d0495
Generating revisions with ./adhoc-revtuple-generator  
git://xenbits.xen.org/staging/qemu-upstream-unstable.git#79c097d5fe7cb0b4788ed509240cde7e210650bf-79c097d5fe7cb0b4788ed509240cde7e210650bf
 
git://xenbits.xen.org/xen.git#2caac1caa19bdaeb9ab14b2baf1342e00c4d0495-82cb4113b6ace16de192021de20f6cbd991e478f
using cache /export/home/osstest/repos/git-cache...
using cache /export/home/osstest/repos/git-cache...
locked cache /export/home/osstest/repos/git-cache...
processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git 
/export/home/osstest/repos/xen...
Initialized empty Git repository in /export/home/osstest/repos/xen/
updating cache /export/home/osstest/repos/git-cache xen...
using cache /export/home/osstest/repos/git-cache...
using cache /export/home/osstest/repos/git-cache...
locked cache /export/home/osstest/repos/git-cache...
processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git 
/export/home/osstest/repos/xen...
Initialized empty Git repository in /export/home/osstest/repos/xen/
updating cache /export/home/osstest/repos/git-cache xen...
Loaded 1001 nodes in revision graph
Searching for test results:
 18113 pass irrelevant
 18114 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 
2caac1caa19bdaeb9ab14b2baf1342e00c4d0495
 18125 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 
82cb4113b6ace16de192021de20f6cbd991e478f
 18129 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 
2caac1caa19bdaeb9ab14b2baf1342e00c4d0495
 18130 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 
82cb4113b6ace16de192021de20f6cbd991e478f
 18131 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 
65808a8ed41cc7c044f588bd6cab5af0fdc0e029
 18132 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 
13e2c808f7ea721c8f200062e2b9b977ee924471
 18133 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 
85256359995587df00001dca22e9a76ba6ea8258
 18134 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 
50421bd56bf164f490d7d0bf5741e58936de41e8
 18135 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 
04877847ade4ac9216e9f408fd544ade8f90cf9a
 18136 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 
65808a8ed41cc7c044f588bd6cab5af0fdc0e029
 18137 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 
04877847ade4ac9216e9f408fd544ade8f90cf9a
 18138 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 
65808a8ed41cc7c044f588bd6cab5af0fdc0e029
 18139 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 
04877847ade4ac9216e9f408fd544ade8f90cf9a
 18140 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 
65808a8ed41cc7c044f588bd6cab5af0fdc0e029
Searching for interesting versions
 Result found: flight 18114 (pass), for basis pass
 Result found: flight 18125 (fail), for basis failure
 Repro found: flight 18129 (pass), for basis pass
 Repro found: flight 18130 (fail), for basis failure
 0 revisions at 79c097d5fe7cb0b4788ed509240cde7e210650bf 
04877847ade4ac9216e9f408fd544ade8f90cf9a
No revisions left to test, checking graph state.
 Result found: flight 18135 (pass), for last pass
 Result found: flight 18136 (fail), for first failure
 Repro found: flight 18137 (pass), for last pass
 Repro found: flight 18138 (fail), for first failure
 Repro found: flight 18139 (pass), for last pass
 Repro found: flight 18140 (fail), for first failure

*** Found and reproduced problem changeset ***

  Bug is in tree:  xen git://xenbits.xen.org/xen.git
  Bug introduced:  65808a8ed41cc7c044f588bd6cab5af0fdc0e029
  Bug not present: 04877847ade4ac9216e9f408fd544ade8f90cf9a

using cache /export/home/osstest/repos/git-cache...
using cache /export/home/osstest/repos/git-cache...
locked cache /export/home/osstest/repos/git-cache...
processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git 
/export/home/osstest/repos/xen...
Initialized empty Git repository in /export/home/osstest/repos/xen/
updating cache /export/home/osstest/repos/git-cache xen...

  commit 65808a8ed41cc7c044f588bd6cab5af0fdc0e029
  Author: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
  Date:   Fri Jun 14 16:39:36 2013 +0100
  
      libelf: check all pointer accesses
      
      We change the ELF_PTRVAL and ELF_HANDLE types and associated macros:
      
       * PTRVAL becomes a uintptr_t, for which we provide a typedef
         elf_ptrval.  This means no arithmetic done on it can overflow so
         the compiler cannot do any malicious invalid pointer arithmetic
         "optimisations".  It also means that any places where we
         dereference one of these pointers without using the appropriate
         macros or functions become a compilation error.
      
         So we can be sure that we won't miss any memory accesses.
      
         All the PTRVAL variables were previously void* or char*, so
         the actual address calculations are unchanged.
      
       * ELF_HANDLE becomes a union, one half of which keeps the pointer
         value and the other half of which is just there to record the
         type.
      
         The new type is not a pointer type so there can be no address
         calculations on it whose meaning would change.  Every assignment or
         access has to go through one of our macros.
      
       * The distinction between const and non-const pointers and char*s
         and void*s in libelf goes away.  This was not important (and
         anyway libelf tended to cast away const in various places).
      
       * The fields elf->image and elf->dest are renamed.  That proves
         that we haven't missed any unchecked uses of these actual
         pointer values.
      
       * The caller may fill in elf->caller_xdest_base and _size to
         specify another range of memory which is safe for libelf to
         access, besides the input and output images.
      
       * When accesses fail due to being out of range, we mark the elf
         "broken".  This will be checked and used for diagnostics in
         a following patch.
      
         We do not check for write accesses to the input image.  This is
         because libelf actually does this in a number of places.  So we
         simply permit that.
      
       * Each caller of libelf which used to set dest now sets
         dest_base and dest_size.
      
       * In xc_dom_load_elf_symtab we provide a new actual-pointer
         value hdr_ptr which we get from mapping the guest's kernel
         area and use (checking carefully) as the caller_xdest area.
      
       * The STAR(h) macro in libelf-dominfo.c now uses elf_access_unsigned.
      
       * elf-init uses the new elf_uval_3264 accessor to access the 32-bit
         fields, rather than an unchecked field access (ie, unchecked
         pointer access).
      
       * elf_uval has been reworked to use elf_uval_3264.  Both of these
         macros are essentially new in this patch (although they are derived
         from the old elf_uval) and need careful review.
      
       * ELF_ADVANCE_DEST is now safe in the sense that you can use it to
         chop parts off the front of the dest area but if you chop more than
         is available, the dest area is simply set to be empty, preventing
         future accesses.
      
       * We introduce some #defines for memcpy, memset, memmove and strcpy:
          - We provide elf_memcpy_safe and elf_memset_safe which take
            PTRVALs and do checking on the supplied pointers.
          - Users inside libelf must all be changed to either
            elf_mem*_unchecked (which are just like mem*), or
            elf_mem*_safe (which take PTRVALs) and are checked.  Any
            unchanged call sites become compilation errors.
      
       * We do _not_ at this time fix elf_access_unsigned so that it doesn't
         make unaligned accesses.  We hope that unaligned accesses are OK on
         every supported architecture.  But it does check the supplied
         pointer for validity.
      
      This is part of the fix to a security issue, XSA-55.
      
      Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
      Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
      
      v7: Remove a spurious whitespace change.
      
      v5: Use allow_size value from xc_dom_vaddr_to_ptr to set xdest_size
           correctly.
          If ELF_ADVANCE_DEST advances past the end, mark the elf broken.
          Always regard NULL allowable region pointers (e.g. dest_base)
           as invalid (since NULL pointers don't point anywhere).
      
      v4: Fix ELF_UNSAFE_PTR to work on 32-bit even when provided 64-bit
           values.
          Fix xc_dom_load_elf_symtab not to call XC_DOM_PAGE_SIZE
           unnecessarily if load is false.  This was a regression.
      
      v3.1:
          Introduce a change to elf_store_field to undo the effects of
           the v3.1 change to the previous patch (the definition there
           is not compatible with the new types).
      
      v3: Fix a whitespace error.
      
      v2 was Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
      
      v2: BUGFIX: elf_strval: Fix loop termination condition to actually work.
          BUGFIX: elf_strval: Fix return value to not always be totally wild.
          BUGFIX: xc_dom_load_elf_symtab: do proper check for small header size.
          xc_dom_load_elf_symtab: narrow scope of `hdr_ptr'.
          xc_dom_load_elf_symtab: split out uninit'd symtab.class ref fix.
          More comments on the lifetime/validity of elf-> dest ptrs etc.
          libelf.h: write "obsolete" out in full
          libelf.h: rename "dontuse" to "typeonly" and add doc comment
          elf_ptrval_in_range: Document trustedness of arguments.
          Style and commit message fixes.

Revision graph left in 
/home/xc_osstest/results/bisect.xen-unstable.build-armhf.xen-build.{dot,ps,png,html}.
----------------------------------------
18140: tolerable ALL FAIL

flight 18140 xen-unstable real-bisect [real]
http://www.chiark.greenend.org.uk/~xensrcts/logs/18140/

Failures :-/ but no regressions.

Tests which did not succeed,
including tests which could not be run:
 build-armhf                   4 xen-build               fail baseline untested


jobs:
 build-armhf                                                  fail    


------------------------------------------------------------
sg-report-flight on woking.cam.xci-test.com
logs: /home/xc_osstest/logs
images: /home/xc_osstest/images

Logs, config files, etc. are available at
    http://www.chiark.greenend.org.uk/~xensrcts/logs

Test harness code can be found at
    http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.