[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free

  • To: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • From: Edwin Torok <edvin.torok@xxxxxxxxxx>
  • Date: Thu, 24 Nov 2022 14:03:49 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=faxN35LKzPGT2r9ItmdavXbC1Ycc1lyFGQPJxy9f/+o=; b=RSpgsBTVdnTgQex5mrW217Dcvd1shAHgRjC6foJIwF8xfrifkrx2n3PeZMdTAQRmcBRFBMB81hQwS4LAAdfBjvXTw5CTfqrPicz3KhtAohxP7XgyY9wo8X/5L5emMO8ePtSrSJdCvhd89jV4mw96vmdA+yQtNGmkYmHNpn4DHSrzhdKAvVEQWm8r8vtHXFRPFtYXQSKZsOPnbe6IOCC7d4TXtwdEwkIDqTQCAoXc9pVOLDxQCR/4lXu2S7ovDByVzKgpeMUMWz9NRexFAc0i7OLN4vX+WIYz7IKm3JfDQl/i/ID99w/Z6VfBICfzBKkCHo7tvOF+569UndYz286fnA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jLDQnGS7XajWKsfjoK5itYQF2tr5hNUQmnCW2IhFIRecnTituEHjJ/8yydwyCXzCqGsxKUsu6Ng+GnKCcRkhXVdcFXRI3DljLuMs2zdR641kY8Yc0eGrmotZSZiymBHHFjUAJc9Uytr/mtCXVsdR+8i3KMOHHCyC8ERo6nCpPiTNiXn6hK0n5iIxvZv1Ki/8DN7p7UE0DBdKuPv4CuZ2yvHHfouPPM3AJeI0St9oNLRHAEXI8h9ITDIWqwW3/7x7+ksx65RhJjttT756KSNf46iMY2e8UMqr0EHD1VzE7RffUk34u3uNjkCgBsQrI6XAMlW/3AcbFZAR7WPCb5cKgQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Christian Lindig <christian.lindig@xxxxxxxxxx>, David Scott <dave@xxxxxxxxxx>, Rob Hoes <Rob.Hoes@xxxxxxxxxx>
  • Delivery-date: Thu, 24 Nov 2022 14:04:05 +0000
  • Ironport-data: A9a23:FQOAk6zGI5WfxU/H+dN6t+ckxyrEfRIJ4+MujC+fZmUNrF6WrkUAx 2IaCGiCaamPZDfwKIgia9iw/RsEvZ+EyIViG1RpriAxQypGp/SeCIXCJC8cHc8wwu7rFxs7s ppEOrEsCOhuExcwcz/0auCJQUFUjP3OHfykTbaeYUidfCc8IA85kxVvhuUltYBhhNm9Emult Mj75sbSIzdJ4RYtWo4vw//F+U0HUMja4mtC5AVnP6wT5jcyqlFOZH4hDfDpR5fHatE88t6SH 47r0Ly/92XFyBYhYvvNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ai87XAME0e0ZP4whlqvgqo Dl7WT5cfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQq2pYjqhljJBheAGEWxgp4KVNcr tEpJzMfVzSSqs2u0r+fYdV8nct2eaEHPKtH0p1h5RfwKK98BLrlE+DN79Ie2yosjMdTG/qYf 9AedTdkcBXHZVtIJ0sTD5U92uyvgxETcRUB8A7T+fVxvjWVlVMpuFTuGIO9ltiiSMlLn0Deu mXc+GfRCRAGLt2PjzGC9xpAg8efwHKiCNJPTNVU8NZLmFed5EMfIiY0amKS+MC3jXz5Qo5mf hl8Fi0G6PJaGFaQZsnwWVi0rWCJujYYWsFMCKsq5QeV0K3W7g2FQG8eQVZpZNU4uecsSDct1 1vPmMnmbQGDq5WQQHOZs72S/TW7PHFPKXdYPHBcCwwY/9PkvYc/yArVScpuG7K0iduzHizsx zeNr241gLB7YdM36phXNGvv21qEzqUlhCZsjukLdgpJNj9EWbM=
  • Ironport-hdrordr: A9a23:cCOA5a+XXYNpfhkOXN1uk+Hwdr1zdoMgy1knxilNoENuH/Bwxv rFoB1E73TJYW4qKQodcdDpAtjifZtFnaQFrLX5To3SJjUO31HYYL2KjLGSiQEIfheTygcz79 YGT0ETMrzN5B1B/L7HCWqDYpkdKbu8gcaVbI7lph8DIz2CKZsQljuRYTzrcHGeMTM2YabRY6 Dsg/avyQDBRV0nKuCAQlUVVenKoNPG0LrgfB49HhYirCWekD+y77b+Mh6AmjMTSSlGz7sO+X XM11WR3NTjj9iLjjvnk0PD5ZVfn9XsjvNFGcy3k8AQbhn8lwqyY4xlerua+BQ4uvum5loGmM TF5z0gI8NwwXXMeXzdm2qi5yDQlBIVr1Pyw16RhnXu5ebjQighNsZHjYVFNjPE9ksJprhHoe F29lPck6ASIQLLnSz76dSNfQptjFCIrX0rlvNWp2BDULEZdKRaoeUkjQFo+dY7bWfHAbIcYa 5T5fLnlbBrmJShHinkV1xUsZiRt7IIb0+7qwY5y5eoOnNt7Q1EJgMjtbAidzE7hdIAotB/lp r5G7Utm7dUQsAMa6VhQO8HXMusE2TIBQnBKWSIPD3cZeg60+Kkke+J3FwZ3pDcRHUz9upFpL 3RFFdD8WIicUPnDsODmJVN7xDWWW24GTDg0NtX6ZR1sqD1AOODC1zJdHk+18+75/kPCMzSXP i+fJpQHv/4NGPrXYJExRf3VZVeIWQXFMcVptE4UVSTpd+jEPyjisXLNPLIYLb9GzctXW3yRn MFQTjoPc1FqlumX3fp6SKhL08FunaPiK6YPJKqjNT7krJ9R7GkmjJl+WiR94WMNSBItLAwcQ 93PK7n+5nL11WLwQ==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHY/4p9nL2l64sg4kKJKi/wcWyqlK5NyCiAgABOI4CAAAW5AA==
  • Thread-topic: [PATCH] tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free

> On 24 Nov 2022, at 13:43, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx> wrote:
> 
> On 24/11/2022 09:03, Edwin Torok wrote:
>>> On 23 Nov 2022, at 22:25, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
>>> 
>>> The binding for xc_interface_close() free the underlying handle while 
>>> leaving
>>> the Ocaml object still in scope and usable.  This would make it easy to 
>>> suffer
>>> a use-after-free, if it weren't for the fact that the typical usage is as a
>>> singleton that lives for the lifetime of the program.
>>> 
>>> Ocaml 5 no longer permits storing a naked C pointer in an Ocaml value.
>>> 
>>> Therefore, use a Custom block.  This allows us to use the finaliser callback
>>> to call xc_interface_close(), if the Ocaml object goes out of scope.
>>> 
>>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>>> ---
>>> CC: Christian Lindig <christian.lindig@xxxxxxxxxx>
>>> CC: David Scott <dave@xxxxxxxxxx>
>>> CC: Edwin Torok <edvin.torok@xxxxxxxxxx>
>>> CC: Rob Hoes <Rob.Hoes@xxxxxxxxxx>
>>> 
>>> I've confirmed that Xenctrl.close_handle does cause the finaliser to be
>>> called, simply by dropping the handle reference.
>> 
>> Thanks, a good way to test this is with OCAMLRUNPARAM=c, possible under 
>> valgrind, which causes all finalisers to be called on exit
>> (normally they are not because the program is exiting anyway)
> 
> I do that anyway, but it's not relevant here.
> 
> What matters is checking that calling close_handle releases the object
> (albeit with a forced GC sweep) before the program ends.
> 
>>> diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c 
>>> b/tools/ocaml/libs/xc/xenctrl_stubs.c
>>> index f37848ae0bb3..4e1204085422 100644
>>> --- a/tools/ocaml/libs/xc/xenctrl_stubs.c
>>> +++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
>>> @@ -37,13 +37,28 @@
>>> 
>>> #include "mmap_stubs.h"
>>> 
>>> -#define _H(__h) ((xc_interface *)(__h))
>>> +#define _H(__h) (*((xc_interface **)Data_custom_val(__h)))
>>> #define _D(__d) ((uint32_t)Int_val(__d))
>> 
>> I think this requires an update in xenopsd too to match, otherwise it'll 
>> crash:
>> https://github.com/xapi-project/xenopsd/blob/master/c_stubs/xenctrlext_stubs.c#L32
> 
> Urgh.  I'll take a note to do that when bringing in the change.
> 
>> This wasn't an issue with the original patch which used Data_abstract_val 
>> here, because
>> that (currently) happens to boil down to just a cast (with some GC metadata 
>> *before* it),
>> so the old way of just casting OCaml value to C pointer still worked.
>> 
>> However Data_custom_val boils down to accessing a value at +sizeof(value) 
>> offset,
>> so xenopsd would now read the wrong pointer.
>> Perhaps it would've been better to have this _H defined in some header, 
>> otherwise extending Xenctrl the way xenopsd does it is quite brittle.
> 
> Exporting _H won't help because everything is statically built. 


As long as you don't rebuilt xenopsd you will keep using the old C stubs that 
xenopsd got compiled with, the change in Xen will have no effect until xenopsd 
is recompiled,
at which point it could pick up the new _H if available, but I agree with your 
point below.


> It's
> brittle because xenopsd has got a local piece of C playing around with
> the internals of someone else's library.  This violates more rules than
> I care to list.
> 
> We (XenServer) should definitely work to improve things, but this is
> entirely a xenopsd problem, not an upstream Xen problem.


It is a lot easier to add new xenctrl bindings and test them out in xenopsd 
than it is to add them to Xen.
We should try to either upstream all xenopsd xenctrl bindings to Xen, and make 
it easier to add them to Xen going forward;
or move all the Xenctrl bindings to xenopsd, then at least you only need to 
rebuild the one piece you are changing.

But to do the latter we first need to get everything that relies on xenctrl to 
move to more stable interfaces (including oxenstored).
There are some Mirage libraries as well that use xenctrl, when a more suitable 
stable interface exists in newer versions of Xen that they should use instead.

Perhaps a compromise between the 2 extremes would be for xenopsd to open and 
have its own xenctrl handle, even if that leads to some code duplication, it 
would at least not rely on an undocumented and unstable internal detail of an 
already unstable ABI. And that would still allow xenopsd to extend xenctrl with 
bindings that are not (yet) present in Xen.
What do you think?

Best regards,
--Edwin

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.