[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free


  • To: Edwin Torok <edvin.torok@xxxxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Thu, 24 Nov 2022 13:43:09 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=a+QoXY/5fHziO2VRvrfw4vtsMfH0Pj9RY54Cnp3eip0=; b=Uau4eAiwbVe4lfuVdMhLVCx5rZcSdGkvt4K0hbDqFUlyJyspiXdFspod/9aHMIkZXbqeK3Xer5qMRlF+sVNcNwWL9P3YjmHNgN3ygF/+8riTMBFOSNpu0UARFrWXRf65mLBjkapej69A6aa7IHATvw3Ry5rO9EWfbbcEFY9jJe8vXrwMTpgSO35UBL8hUwo3tJqWFdjXbCt6so18qd1noP69hfWr1deVtFhh0Pgj1S9XIsePztZoOHFbUPbZ7J2jySFh6R9Ep+eDgP6JxP8+WZzjsUMUMZMjNprE3ZeZp57MJpK3wYF+GG48oF++7Dzdu45VohqKnsuEBWpw447sWA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eW7pUUemBlYZCtbMl2w1iwba7zqMDMvYpLls8p9mTqADqTGCb7xK0e5vZLITvaObyO9bA/NNTtMHyXZMwQ8d7vC5SqkwUXgQ5treMEd1W6yQTgfbiQw8iiYZi160FwAfnNqrnNESGlP2HITJuDaTIIvBkqMd9AJReFpsPFTsvSJLsMJJ9QMozy5kxVIJvU7x0Askyw9Isx8kJcJgQdqpUiFChfUhaAn55lMj0wTRJdDRGQwdw6Z8Dwimafh9NAEfa4IvGBogaLURORw+oWw8ootTb4YlyY8t9wv34vP8vFnMQ8JlRHD8i+tlb7X8JmAyhWUOSwwLh+sHRM7PkBlhXQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Christian Lindig <christian.lindig@xxxxxxxxxx>, David Scott <dave@xxxxxxxxxx>, Rob Hoes <Rob.Hoes@xxxxxxxxxx>
  • Delivery-date: Thu, 24 Nov 2022 13:43:34 +0000
  • Ironport-data: A9a23:nFDNCqgVY7ohwB9cKWuSuYJWX161fBEKZh0ujC45NGQN5FlHY01je htvD2vVafqOZjP1c9lxO9vk80wH7JXWnYAyHQtkrSFhH3gb9cadCdqndUqhZCn6wu8v7q5Ex 55HNoSfdpBcolv0/ErF3m3J9CEkvU2wbuOgTrWCYmUpH1QMpB4J0XpLg/Q+jpNjne+3CgaMv cKai8DEMRqu1iUc3lg8sspvkzsy+qWs0N8klgZmP6oS5QWCzyN94K83fsldEVOpGuG4IcbiL wrz5OnR1n/U+R4rFuSknt7TGqHdauePVeQmoiM+t5mK2nCulARrukoIHKN0hXNsoyeIh7hMJ OBl7vRcf+uL0prkw4zxWzEAe8130DYvFLXveRBTuuTLp6HKnueFL1yDwyjaMKVBktubD12i+ tQWCndWQjXewN6umui7crQvl+AvHszCadZ3VnFIlVk1DN4AaLWaGeDgw48d2z09wMdTAfzZe swVLyJ1awjNaAFOPVFRD48imOCvhT/0dDgwRFC9/PJrpTSMilEsluGya7I5efTTLSlRtm+eq njL4CLSBRYCOcbE4TGE7mitlqnEmiaTtIc6ROHlqqA22Qb7Kmo7FDMudUfl8OGAg3WDXO50M 2032CQQsv1nnKCsZpynN/Gim1aUsxhZV9dOHukS7ACW1rGS8wufHnIDTDNKdJohrsBebTAjy FKhhd7iAj1r9rqPRhqgGqy8qDqzPW0fKz8EbCpdFw8duYC8+8c0kw7FSctlHOitlNrpFDrsw jeM6i8jm7EUis1N3KK+lbzavw+RSlHyZlZdzm3qsqiNt2uVuKbNi1SU1GXm
  • Ironport-hdrordr: A9a23:r4PXT6gfuhKgxuO2ahP7ty8xgXBQX/J23DAbv31ZSRFFG/FwyP rCoB1L73XJYWgqM03IwerwQ5VpQRvnhP1ICRF4B8buYOCUghrTEGgE1/qv/9SAIVy1ygc578 tdmsdFebrN5DRB7PoSpTPIa+rIo+P3v5xA592uqUuFJDsCA84P0+46MHfjLqQcfnglOXNNLu v52iMxnUvERZ14VKSGL0hAe9KGi8zAlZrgbxJDLxk76DOWhTftxK/mHwOe1hI+VSoK5bs562 DKnyHw+63m6piAu17h/l6Wy64TtMrqy9NFCsDJos8JKg/0ggLtSJV9V6aEtDUVpvjqzFoxit HDrzopIsw2wXLMeWOepwfrxmDboXgTwk6n7WXdrWrooMT/Sj5/IdFGn5hlfhzQ7FdllM1g0Y pQtljp9KZ/PFflpmDQ9tLIXxZlmg6funw5i9MeiHRZTM83dKJRl4oC50lYea1wXh4SqbpXVd WGPvuso8q+QmnqKUwxeVMfmeBEa05DWituhHJy4vB9nQImx0yRhHFoufD31k1wiK7VDaM0p9 gse54Y6o2nBKUtHN1ALfZETs2tBmPXRxXQdGqUPFT8DakCf2nAspjt/dwOlaiXkbEzvewPca 76ISVlnH93f1irBdyF3ZVN/ByISGKhXS71wsUb45RioLXzSLfiLCXGETkV4oCdiuRaBteeV+ e4OZpQDfOmJWzyGZxR1wm7X5VJM3ERXMAcp95+UVOTpcDALJHsq4XgAb7uDauoFSxhVnL0A3 MFUjS2LMJc7lqzUnu9mxTVU2OFQD2KwXuxKtmuwwE+8vl/CmQXiHlltb2Q3LD6FRRS9qorYU B5PLTr1qumuGjexxe701lU
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHY/4p9GINVmjprlEGx5iAuzyYE1a5NyDSAgABOFgA=
  • Thread-topic: [PATCH] tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free

On 24/11/2022 09:03, Edwin Torok wrote:
>> On 23 Nov 2022, at 22:25, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
>>
>> The binding for xc_interface_close() free the underlying handle while leaving
>> the Ocaml object still in scope and usable.  This would make it easy to 
>> suffer
>> a use-after-free, if it weren't for the fact that the typical usage is as a
>> singleton that lives for the lifetime of the program.
>>
>> Ocaml 5 no longer permits storing a naked C pointer in an Ocaml value.
>>
>> Therefore, use a Custom block.  This allows us to use the finaliser callback
>> to call xc_interface_close(), if the Ocaml object goes out of scope.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>> ---
>> CC: Christian Lindig <christian.lindig@xxxxxxxxxx>
>> CC: David Scott <dave@xxxxxxxxxx>
>> CC: Edwin Torok <edvin.torok@xxxxxxxxxx>
>> CC: Rob Hoes <Rob.Hoes@xxxxxxxxxx>
>>
>> I've confirmed that Xenctrl.close_handle does cause the finaliser to be
>> called, simply by dropping the handle reference.
>
> Thanks, a good way to test this is with OCAMLRUNPARAM=c, possible under 
> valgrind, which causes all finalisers to be called on exit
> (normally they are not because the program is exiting anyway)

I do that anyway, but it's not relevant here.

What matters is checking that calling close_handle releases the object
(albeit with a forced GC sweep) before the program ends.

>> diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c 
>> b/tools/ocaml/libs/xc/xenctrl_stubs.c
>> index f37848ae0bb3..4e1204085422 100644
>> --- a/tools/ocaml/libs/xc/xenctrl_stubs.c
>> +++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
>> @@ -37,13 +37,28 @@
>>
>> #include "mmap_stubs.h"
>>
>> -#define _H(__h) ((xc_interface *)(__h))
>> +#define _H(__h) (*((xc_interface **)Data_custom_val(__h)))
>> #define _D(__d) ((uint32_t)Int_val(__d))
>
> I think this requires an update in xenopsd too to match, otherwise it'll 
> crash:
> https://github.com/xapi-project/xenopsd/blob/master/c_stubs/xenctrlext_stubs.c#L32

Urgh.  I'll take a note to do that when bringing in the change.

> This wasn't an issue with the original patch which used Data_abstract_val 
> here, because
> that (currently) happens to boil down to just a cast (with some GC metadata 
> *before* it),
> so the old way of just casting OCaml value to C pointer still worked.
>
> However Data_custom_val boils down to accessing a value at +sizeof(value) 
> offset,
> so xenopsd would now read the wrong pointer.
> Perhaps it would've been better to have this _H defined in some header, 
> otherwise extending Xenctrl the way xenopsd does it is quite brittle.

Exporting _H won't help because everything is statically built.  It's
brittle because xenopsd has got a local piece of C playing around with
the internals of someone else's library.  This violates more rules than
I care to list.

We (XenServer) should definitely work to improve things, but this is
entirely a xenopsd problem, not an upstream Xen problem.

~Andrew

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.