Re: [Xen-devel] [PATCH v6 08/24] xsplice: Add helper elf routines

[Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>]

On Thu, Apr 07, 2016 at 05:19:37PM +0100, Ian Jackson wrote:
> Konrad Rzeszutek Wilk writes ("[PATCH v6 08/24] xsplice: Add helper elf 
> routines"):
> > From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
> > 
> > Add Elf routines and data structures in preparation for loading an
> > xSplice payload.
> > 
> > We make an assumption that the max number of sections an ELF payload
> > can have is 64. We can in future make this be dependent on the
> > names of the sections and verifying against a list, but for right now
> > this suffices.
> > 
> > Also we a whole lot of checks to make sure that the ELF payload
> > file is not corrupted nor that the offsets point past the file.
> 
> This is good, but: ideally I would like to avoid conducting a detailed
> security review of this code.
> 
> My understanding of this is that the purpose of this machinery is to
> supply binary runtime patches to the hypervisor.  So I think someone
> who can inject malicious xsplice payloads can already control the
> host.  Is that right ?

<nods>The payload could be just fine from an ELF perspective and
insert an patch that immediately calls BUG_ON().

> 
> If so then bugs in this loader cannot be any security impact.

Yes.
> 
> It might be worth mentioning somewhere that this loader must not be
> used for xsplice payloads for guest kernels.

How "fun" would that be! Also I do want signature checking on
the payloads so at least we would only load ones that are trusted
from a vendor. But that is v2 goal.

> 
> Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel