[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [[PATCH v3]] xen/guest_access: Harden *copy_to_guest_offset() to prevent const dest operand
On 23.04.2020 10:10, Julien Grall wrote: > Hi, > > On 23/04/2020 08:38, Jan Beulich wrote: >> On 17.04.2020 19:16, Julien Grall wrote: >>> On 16/04/2020 13:19, Jan Beulich wrote: >>>> On 16.04.2020 13:24, Julien Grall wrote: >>>>> From: Julien Grall <jgrall@xxxxxxxxxx> >>>>> >>>>> At the moment, *copy_to_guest_offset() will allow the hypervisor to copy >>>>> data to guest handle marked const. >>>>> >>>>> Thankfully, no users of the helper will do that. Rather than hoping this >>>>> can be caught during review, harden copy_to_guest_offset() so the build >>>>> will fail if such users are introduced. >>>>> >>>>> There is no easy way to check whether a const is NULL in C99. The >>>>> approach used is to introduce an unused variable that is non-const and >>>>> assign the handle. If the handle were const, this would fail at build >>>>> because without an explicit cast, it is not possible to assign a const >>>>> variable to a non-const variable. >>>>> >>>>> Suggested-by: Jan Beulich <jbeulich@xxxxxxxx> >>>>> Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx> >>>> >>>> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> >>>> with one further remark: >>>> >>>>> --- a/xen/include/asm-x86/guest_access.h >>>>> +++ b/xen/include/asm-x86/guest_access.h >>>>> @@ -87,6 +87,8 @@ >>>>> #define copy_to_guest_offset(hnd, off, ptr, nr) ({ \ >>>>> const typeof(*(ptr)) *_s = (ptr); \ >>>>> char (*_d)[sizeof(*_s)] = (void *)(hnd).p; \ >>>>> + /* Check if the handle is not const */ \ >>>>> + void *__maybe_unused _t = (hnd).p; \ >>>> >>>> Not being a native speaker, to me "if" doesn't look appropriate >>>> here. I'd use "that" instead, but you may want to confirm this. >>>> Overall then maybe "Check that the handle is not for a const type"? >>> >>> I am happy with the new suggestion. I will fixup while comitting it. >>> >>> >>> I would also need a review from Stefano here also. >> >> Would you, even under the new rules? > > "2. In unusual circumstances, a more general maintainer's Ack can stand > in for or even overrule a specific maintainer's Ack. Unusual > circumstances might include: > > - The more specific maintainer has not responded either to the > original patch, nor to "pings", within a reasonable amount of time. > " > > So it depends on your definition of "reasonable amount of time". > A week or two seems reasonable to me for non-pressing issues. No, this isn't the part I was referring to - there are no unusual circumstances here. Quite a bit further up you'll in particular find "In a case where a maintainer themselves submits a patch, the Signed-off-by meets the approval requirement (#1); so a Review from anyone in the community suffices for requirement #2." Jan
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |