[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2 17/18] argo: validate hypercall arg structures via compat machinery
Argo doesn't use compat hypercall or argument translation but can use some of the infrastructure for validating the hypercall argument structures to ensure that the struct sizes, offsets and compositions don't vary between 32 and 64bit, so add that here in a new dedicated source file for this purpose. Some of the argo hypercall argument structures contain elements that are hypercall argument structure types themselves, and the standard compat structure validation does not handle this, since the types differ in compat vs. non-compat versions; so for some of the tests the exact-type-match check is replaced with a weaker, but still sufficient, sizeof check. Then there are additional hypercall argument structures that contain elements that do not have a fixed size (last element, variable length array fields), so we have to then disable that size check too for validating those structures; the coverage of offset of elements is still retained. Signed-off-by: Christopher Clark <christopher.clark6@xxxxxxxxxxxxxx> --- This is a new patch introduced in version 2 of the series. These checks could be introduced incrementally in multiple previous commits as the data structures are added with each hypercall op, but this commit can stand or fall on its own and the macro redefinition needed to override aspects of the checking warrants review. This commit does add compile-time coverage of the hypercall data structures (as requested). xen/common/Makefile | 2 +- xen/common/compat/argo.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 xen/common/compat/argo.c diff --git a/xen/common/Makefile b/xen/common/Makefile index 8c65c6f..88b9b2f 100644 --- a/xen/common/Makefile +++ b/xen/common/Makefile @@ -70,7 +70,7 @@ obj-y += xmalloc_tlsf.o obj-bin-$(CONFIG_X86) += $(foreach n,decompress bunzip2 unxz unlzma unlzo unlz4 earlycpio,$(n).init.o) -obj-$(CONFIG_COMPAT) += $(addprefix compat/,domain.o kernel.o memory.o multicall.o xlat.o) +obj-$(CONFIG_COMPAT) += $(addprefix compat/,argo.o domain.o kernel.o memory.o multicall.o xlat.o) tmem-y := tmem.o tmem_xen.o tmem_control.o tmem-$(CONFIG_COMPAT) += compat/tmem_xen.o diff --git a/xen/common/compat/argo.c b/xen/common/compat/argo.c new file mode 100644 index 0000000..209c4fd --- /dev/null +++ b/xen/common/compat/argo.c @@ -0,0 +1,60 @@ +/****************************************************************************** + * Argo : Hypervisor-Mediated data eXchange + * + * Copyright (c) 2018, BAE Systems + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#include <xen/types.h> +#include <xen/lib.h> +#include <public/argo.h> +#include <compat/argo.h> + +CHECK_argo_addr; + +/* + * Disable strict type checking in this compat validation macro for the + * following struct checks because it cannot handle fields within structs that + * have types that differ in the compat versus non-compat structs. + * Replace it with a field size check which is sufficient here. + */ + +#undef CHECK_FIELD_COMMON_ +#define CHECK_FIELD_COMMON_(k, name, n, f) \ +static inline int __maybe_unused name(k xen_ ## n *x, k compat_ ## n *c) \ +{ \ + BUILD_BUG_ON(offsetof(k xen_ ## n, f) != \ + offsetof(k compat_ ## n, f)); \ + return sizeof(x->f) == sizeof(c->f); \ +} + +CHECK_argo_ring_id; +CHECK_argo_send_addr; +CHECK_argo_ring_data_ent; +CHECK_argo_iov; + +/* + * Disable sizeof type checking for the following struct checks because + * these structs have fields with variable size that the size check + * cannot validate. + */ + +#undef CHECK_FIELD_COMMON_ +#define CHECK_FIELD_COMMON_(k, name, n, f) \ +static inline int __maybe_unused name(k xen_ ## n *x, k compat_ ## n *c) \ +{ \ + BUILD_BUG_ON(offsetof(k xen_ ## n, f) != \ + offsetof(k compat_ ## n, f)); \ + return 1; \ +} + +CHECK_argo_ring; +CHECK_argo_ring_data; -- 2.7.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |