[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 5/8] xen/hypfs: add support for id-based dynamic directories

To: Jan Beulich <jbeulich@xxxxxxxx>
From: Jürgen Groß <jgross@xxxxxxxx>
Date: Fri, 18 Dec 2020 09:57:05 +0100
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 18 Dec 2020 08:57:15 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 17.12.20 13:14, Jan Beulich wrote:

On 17.12.2020 12:32, Jürgen Groß wrote:

On 17.12.20 12:28, Jan Beulich wrote:

On 09.12.2020 17:09, Juergen Gross wrote:

+static const struct hypfs_entry *hypfs_dyndir_enter(
+    const struct hypfs_entry *entry)
+{
+    const struct hypfs_dyndir_id *data;
+
+    data = hypfs_get_dyndata();
+
+    /* Use template with original enter function. */
+    return data->template->e.funcs->enter(&data->template->e);
+}


At the example of this (applies to other uses as well): I realize
hypfs_get_dyndata() asserts that the pointer is non-NULL, but
according to the bottom of ./CODING_STYLE this may not be enough
when considering the implications of a NULL deref in the context
of a PV guest. Even this living behind a sysctl doesn't really
help, both because via XSM not fully privileged domains can be
granted access, and because speculation may still occur all the
way into here. (I'll send a patch to address the latter aspect in
a few minutes.) While likely we have numerous existing examples
with similar problems, I guess in new code we'd better be as
defensive as possible.


What do you suggest? BUG_ON()?


Well, BUG_ON() would be a step in the right direction, converting
privilege escalation to DoS. The question is if we can't do better
here, gracefully failing in such a case (the usual pair of
ASSERT_UNREACHABLE() plus return/break/goto approach doesn't fit
here, at least not directly).

You are aware that this is nothing a user can influence, so it would
be a clear coding error in the hypervisor?


A user (or guest) can't arrange for there to be a NULL pointer,
but if there is one that can be run into here, this would still
require an XSA afaict.


I still don't see how this could happen without a major coding bug,
which IMO wouldn't go unnoticed during a really brief test (this is
the reason for ASSERT() in hypfs_get_dyndata() after all).

Its not as if the control flow would allow many different ways to reach
any of the hypfs_get_dyndata() calls.

I can add security checks at the appropriate places, but I think this
would be just dead code. OTOH if you are feeling strong here lets go
with it.


Juergen

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: application/pgp-keys

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Follow-Ups:
- Re: [PATCH v3 5/8] xen/hypfs: add support for id-based dynamic directories
  - From: Jan Beulich

References:
- [PATCH v3 0/8] xen: support per-cpupool scheduling granularity
  - From: Juergen Gross
- [PATCH v3 5/8] xen/hypfs: add support for id-based dynamic directories
  - From: Juergen Gross
- Re: [PATCH v3 5/8] xen/hypfs: add support for id-based dynamic directories
  - From: Jan Beulich
- Re: [PATCH v3 5/8] xen/hypfs: add support for id-based dynamic directories
  - From: Jürgen Groß
- Re: [PATCH v3 5/8] xen/hypfs: add support for id-based dynamic directories
  - From: Jan Beulich

Prev by Date: Re: [PATCH 2/6] x86/mm: p2m_add_foreign() is HVM-only
Next by Date: Re: [PATCH 3/6] x86/p2m: set_{foreign,mmio}_p2m_entry() are HVM-only
Previous by thread: Re: [PATCH v3 5/8] xen/hypfs: add support for id-based dynamic directories
Next by thread: Re: [PATCH v3 5/8] xen/hypfs: add support for id-based dynamic directories
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.