[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 1/2] tools/libxc: Fix issues with libxc and Xen having different featureset lengths

To: "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Fri, 30 Nov 2018 02:18:08 -0700
Cc: Ian Jackson <Ian.Jackson@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Sergey Dyasli <sergey.dyasli@xxxxxxxxxx>
Delivery-date: Fri, 30 Nov 2018 09:18:16 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 29.11.18 at 20:20, <andrew.cooper3@xxxxxxxxxx> wrote:
> In almost all cases, Xen and libxc will agree on the featureset length,
> because they are built from the same source.
> 
> However, there are circumstances (e.g. security hotfixes) where the featureset
> gets longer and dom0 will, after installing updates, be running with an old
> Xen but new libxc.  Despite writing the code with this scenario in mind, there
> were some bugs.
> 
> First, xen-cpuid's get_featureset() erroneously allocates a buffer based on
> Xen's featureset length, but records libxc's length, which is longer.

"... which may be longer", seeing that nr_features gets initialized from
xc_get_cpu_featureset_size()'s return value, and its subsequent
updating (through xc_get_cpu_featureset()) is only done in certain
cases.

> The hypercall bounce buffer code reads/writes the recorded length, which is
> beyond the end of the allocated object, and a later free() encounters corrupt
> heap metadata.  Fix this by recording the same length that we allocate.
> 
> Secondly, get_cpuid_domain_info() has a related bug when the passed-in
> featureset is a different length to libxc's.
> 
> A large amount of the libxc cpuid functionality depends on info->featureset
> being as long as expected, and it is allocated appropriately.  However, in the
> case that a shorter external featureset is passed in, the logic to check for
> trailing nonzero bits may read off the end of it.  Rework the logic to use the
> correct upper bound.
> 
> In addition, leave a comment next to the fields in struct cpuid_domain_info
> explaining the relationship between the various lengths, and how to cope with
> different lengths.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 1/2] tools/libxc: Fix issues with libxc and Xen having different featureset lengths
  - From: Andrew Cooper

References:
- [Xen-devel] [PATCH 0/2] tools/libxc: Fixes to cpuid logic
  - From: Andrew Cooper
- [Xen-devel] [PATCH 1/2] tools/libxc: Fix issues with libxc and Xen having different featureset lengths
  - From: Andrew Cooper

Prev by Date: [Xen-devel] [seabios test] 130842: regressions - FAIL
Next by Date: Re: [Xen-devel] [PATCH 2/2] tools/libxc: Fix error handling in get_cpuid_domain_info()
Previous by thread: [Xen-devel] [PATCH 1/2] tools/libxc: Fix issues with libxc and Xen having different featureset lengths
Next by thread: Re: [Xen-devel] [PATCH 1/2] tools/libxc: Fix issues with libxc and Xen having different featureset lengths
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.