[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 0/8] libelf: safety enhancements

To: <xen-devel@xxxxxxxxxxxxxxxxxxx>
From: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Date: Fri, 9 Dec 2016 15:44:41 +0000
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>
Delivery-date: Fri, 09 Dec 2016 15:45:25 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

We recently discovered two near-miss in libelf:

* The intended method for limiting the phdr loop iteration count was
  not effective.  But happily this turned not to be important because
  the count field is only 16 bits.

* A recent commit accidentally introduced a division by zero
  vulnerability.

Subsequent discussion revealed that the design principles underlying
libelf's safety were not widely understood - because they were not
documented.

Initially I tried dealing with the loop safety problem by auditing the
code and adding a suitable comment next to each loop, stating a proof
sketch of the loop's safety.  I found that this quickly became
unworkable, because there are nested loops.  These nested loops did
not have badly unreasonable upper bounds but the complexity of the
analysis was unsuitable for security-critical review.

An upper bound on the work done in loops in libelf is necessary
because libelf may be called by the toolstack in a context where it
would block other work.  Specifically, libelf is called by libxl, and
libxl does all of its work within a single per-ctx lock.  libxl's
callers are not supposed to be required to invoke libxl on multiple
ctxs or with multiple processes simultaneously, and in any case
we don't want to generate and leak stuck toolstack processes.

So, in this series, I propose:

 * A new scheme for limiting the work done by libelf.  We track it
   explicitly, and check it on each iteration of every loop.  (This
   replaces a similar ad-hoc scheme used for copying image data.)

 * Documentation which states the safety design principles for libelf,
   and the coding rules which follow from those design principles.

After this series is done there are a few redundant loop safety
checks, from the previous approach:

 * There are a number of ad-hoc limits on string sizes, certain table
   sizes, etc.

 * There are calls to elf_access_ok which were intended to limit loop
   iteration counts (but are ineffective at doing so since the stride
   is controlled by the input image and might be zero).

I have chosen to retain these.  Removing them seems like an
unnecessary risk.  In particular, searching for and removing
certain elf_access_ok calls seems unwise.

Thanks,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- [Xen-devel] [PATCH 7/8] libelf: loop safety cleanup: Remove superseded image size copy check
  - From: Ian Jackson
- [Xen-devel] [PATCH 5/8] libelf: loop safety: Replace all calls to strcmp
  - From: Ian Jackson
- [Xen-devel] [PATCH 8/8] libelf: safety: Document safety principles in header file
  - From: Ian Jackson
- [Xen-devel] [PATCH 4/8] libelf: loop safety: Call elf_iter_ok_counted at every *mem*_unsafe
  - From: Ian Jackson
- [Xen-devel] [PATCH 3/8] libelf: loop safety: Call elf_iter_ok[_counted] in every loop
  - From: Ian Jackson
- [Xen-devel] [PATCH 6/8] libelf: loop safety cleanup: Remove obsolete check in elf_shdr_count
  - From: Ian Jackson
- [Xen-devel] [PATCH 2/8] libelf: loop safety: Pass `elf' to elf_xen_parse_features
  - From: Ian Jackson
- [Xen-devel] [PATCH 1/8] libelf: loop safety: Introduce elf_iter_ok and elf_strcmp_safe
  - From: Ian Jackson

References:
- Re: [Xen-devel] [PATCH] libelf: Fix div0 issues in elf_{shdr, phdr}_count()
  - From: Ian Jackson

Prev by Date: Re: [Xen-devel] [PATCH 2/2] x86: drop cpu_has_sse{,2}
Next by Date: [Xen-devel] [PATCH 1/8] libelf: loop safety: Introduce elf_iter_ok and elf_strcmp_safe
Previous by thread: Re: [Xen-devel] [PATCH] libelf: Fix div0 issues in elf_{shdr, phdr}_count()
Next by thread: [Xen-devel] [PATCH 1/8] libelf: loop safety: Introduce elf_iter_ok and elf_strcmp_safe
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.