[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest

To: Jan Beulich <JBeulich@xxxxxxxx>
From: Julien Grall <julien.grall@xxxxxxxxxx>
Date: Tue, 17 Jun 2014 10:23:15 +0100
Cc: Keir Fraser <keir@xxxxxxx>, ian.campbell@xxxxxxxxxx, tim@xxxxxxx, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, stefano.stabellini@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Delivery-date: Tue, 17 Jun 2014 09:23:31 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>



On 17/06/14 10:17, Jan Beulich wrote:

On 17.06.14 at 11:09, <julien.grall@xxxxxxxxxx> wrote:

On 17/06/14 09:01, Jan Beulich wrote:

On 16.06.14 at 18:17, <julien.grall@xxxxxxxxxx> wrote:

+
+    /* Add an extra +1 to append \0. We can't assume the guest will
+     * provide a valid string */


Now this is the case for flask, but for a generic string copying
routine I don't think this is desirable. It seems especially wrong to
aid the guest with putting a NUL where none was. If you really
want this, I guess you would be better off adding two variants:
One which demands the string to be NUL-terminated (in which
case passing in a size is sort of bogus), and one which takes a
size and inserts a NUL.


A malicious guest could pass a big buffer without a NUL-terminated. If
we don't limit the size and check the NUL-terminated character the guest
could respectively exhaust Xen memory and exploit it.

Therefore we can't rely on the guest to provide a valid string. This
solution will avoid to check in every caller that the string is
correctly terminated.


You seem to imply that by not passing in a size I also meant not
passing in a maximum size - I didn't say that, though. You absolutely
have to limit the string length for security reasons, but it's clearly a
difference whether you silently NUL-terminate the value after the
maximum number of characters, or return with an error.

I didn't understand in this way your previous mail. Thank you for theexplanation.

It looks like for my use case it's better to throw an error if we don'thave enough place. It would help us if one day the path start to be verylong.

I'm wondering if we can also make this change for flask... Daniel, anythough?


Regards,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
  - From: Daniel De Graaf

References:
- Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
  - From: Jan Beulich
- Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
  - From: Julien Grall
- Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [RFC 11/19] xen/passthrough: Call arch_iommu_domain_destroy before calling iommu_teardown
Next by Date: Re: [Xen-devel] [RFC 11/19] xen/passthrough: Call arch_iommu_domain_destroy before calling iommu_teardown
Previous by thread: Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
Next by thread: Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.