[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw

To: Julien Grall <julien.grall@xxxxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
From: Ian Campbell <ian.campbell@xxxxxxxxxx>
Date: Wed, 4 Nov 2015 14:29:10 +0000
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Keir Fraser <keir@xxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Tim Deegan <tim@xxxxxxx>
Delivery-date: Wed, 04 Nov 2015 14:29:34 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, 2015-11-04 at 11:40 +0000, Julien Grall wrote:
> > Not sure I follow. If hnd isn't a suitable struct xen guest handle then
> > other things will fail. If a user is passing a non struct
> > xen_guest_handle
> > to this which happens to contain the same fields then more fool them,
> > and
> > if it happens to be 8 bytes anyway your check won't catch that.
> 
> With the 2 checks in set_xen_raw_guest_handle we catch most of the
> problem. They both ensure that the handle is 8-byte and the pointer is
> valid. However we don't check that the padding is at the beginning of
> the structure.
> 
> It's better than what we have today as we don't even check that the
> handle is 8-byte.

I'm not sure I'm all that worried about callers constructing their own
guest handle structs and getting it wrong.

> [...]
> 
> > > > This looses out on the arm32 hypervisor sanity checking that the
> > > > padding
> > > > bytes are 0 (as required by the ABI) but TBH I haven't checked that
> > > > the
> > > > current version has that property either.
> > > 
> > > It's done during the assignation by the compiler:
> > > 
> > > (hnd).q = (uint64_t)(uintptr_t)(val);
> > 
> > I meant on the reading side.
> 
> It's the responsibility of the caller to zero the padding. There is
> nothing to do on the reading side, the hypervisor will use "p" which
> will be the size of the natural pointer.

For a 32-bit Xen the check would be that a guest was not inadvertently
violating this rule, such a guest would crash if it was run on a 64-bit
hypervisor (which would see the non-zero padding as part of the pointer),
by rejecting such cases on 32-bit Xen we avoid such guests becoming
established and therefore presenting a case for us to relax this rule in
one way or another.

This is the same reason as check_multicall_32bit_clean() exists. multicall
is special only in that it was pretty easy to know where to add that check.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
  - From: Julien Grall

References:
- Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
  - From: Stefano Stabellini
- Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
  - From: Julien Grall
- Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
  - From: Julien Grall
- Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
  - From: Julien Grall

Prev by Date: Re: [Xen-devel] [PATCH] symbols.c: Avoid warn_unused_result build failure on fgets().
Next by Date: Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
Previous by thread: Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
Next by thread: Re: [Xen-devel] [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.