[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free

  • To: Edwin Torok <edvin.torok@xxxxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Thu, 24 Nov 2022 14:13:23 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=q9TIv+jBGRgt6msmGG+uhMUtu7e+mTwRPLnsSDmlyO0=; b=C/kHCjcrbJPEEzkCNpKpmA8L8JZKHXXLzobPG1J92dWtKieIEHulTR8WbLgWtFnzZv6KlVNNLe/sV7UeADJ/T6AxCbxaxzXN53tD+CaLcDwkKycPvf7rshFq7duF4PcJPxNG47Ndwz1NZ1yduuVf1b4UpM0CBcv+8zTsBQlYVpcroclS3rVwRH63d9DQTGzqjQnbDS63mdOArGV1IKfjcV83APSxinp84Z1GB8nJ/iDFE8wXm5FODSVIzWVQhgJTX8MUZ/NLvH9XKAxM9xG3ok6EgHvaCvRKa4DFK6dPBF96oHmb6paqeA/8lnuvNtfWSgs7HpT9tS50LmUb+G0R5A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FhVUspRE4C3Fy2r1O4s3rI1mmDh6l1S1nolq7Wa6T0T1QRWptfhJdGTh2RckftYyJkENJL7WhDpqfWWX0D7cZ+HHAp6JJzzIF87JdTSwvk5cQzVAytnIRA7Djmsa68i/4PcYNu4XOykpLHUqe+Uaco6fTb80e05hid9aTwkmQCFcKMmpIeqbLT1p2jsfJV9+3VmkiXkr/hx6lMU2R5WoS/0faB2DMyYD2IyQSSg3JzuvbHVq8m6wT61PEUE38h+j5xI3sVGjpw27LPbLKDqfcQLgPKVAfrKbc71SJAjyd5ZiK5jxLhN03FGw+c/M1aecpy9012gf/volV4zrkCoI1Q==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Christian Lindig <christian.lindig@xxxxxxxxxx>, David Scott <dave@xxxxxxxxxx>, Rob Hoes <Rob.Hoes@xxxxxxxxxx>
  • Delivery-date: Thu, 24 Nov 2022 14:13:38 +0000
  • Ironport-data: A9a23:E8T8w68K6MRlibfya3JGDrUDnH+TJUtcMsCJ2f8bNWPcYEJGY0x3y 2pODDjQPv+IMGDzKo1xbYS+/RgHucfXnIJmG1Q6+Ho8E34SpcT7XtnIdU2Y0wF+jCHgZBk+s 5hBMImowOQcFCK0SsKFa+C5xZVE/fjUAOG6UKucYHsZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqojUNUTNNwRcawr40Ire7kIx1BjOkGlA5AZnPKoX5AW2e0Q9V/rzG4ngdxMUfaEMdgKKb 76r5K20+Grf4yAsBruN+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+v9T2M4nQVVWk120c+VZk 72hg3ASpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn9IBDJyCAWlvVbD09NqbDklwq uwhcRYSbymohtqs0Z2JCflMo+cKeZyD0IM34hmMzBn/JNN/GNXpZfWP4tVVmjAtmspJAPDSI dIDbiZiZwjBZBsJPUoLDJU5n6GjgXyXnz9w8QrJ4/ZopTWDilUvgdABM/KMEjCObexTklyVu STt+GPhDwtBHNee1SCE4jSngeqncSbTCN9KS+Tipq4CbFu7+zQjNyEPRVWAi/ykpG2eXNFiK Fcyw397xUQ13AnxJjXnZDWorXjBshMCVt54F+wh9BrL2qfS+xyeBGUPUnhGctNOnMM/WzECz FKCmNLtQzt1v9WopWm1876VqXa4P3gTJGpbPCscF1Jbsp/kvZ05iQ/JQpB7Cqmpg9bpGDb2h TeXsCw5gLZVhskOv0mmwW36b/uXjsChZmYICs//BwpJMisRiFaZWrGV
  • Ironport-hdrordr: A9a23:K23XRahaFAdC6XGVbmNFkW5OAnBQX/J23DAbv31ZSRFFG/FwyP rCoB1L73XJYWgqM03IwerwQ5VpQRvnhP1ICRF4B8buYOCUghrTEGgE1/qv/9SAIVy1ygc578 tdmsdFebrN5DRB7PoSpTPIa+rIo+P3v5xA592uqUuFJDsCA84P0+46MHfjLqQcfnglOXNNLu v52iMxnUvERZ14VKSGL0hAe9KGi8zAlZrgbxJDLxk76DOWhTftxK/mHwOe1hI+VSoK5bs562 DKnyHw+63m6piAu17h/l6Wy64TtMrqy9NFCsDJos8JKg/0ggLtSJV9V6aEtDUVpvjqzFoxit HDrzopIsw2wXLMeWOepwfrxmDboXgTwk6n7WXdrWrooMT/Sj5/IdFGn5hlfhzQ7FdllM1g0Y pQtljp9KZ/PFflpmDQ9tLIXxZlmg6funw5i9MeiHRZTM83dKJRl4oC50lYea1wXh4SqbpXVd WGPvuso8q+QmnqKUwxeVMfmeBEa05DWituhHJy4vB9nQImx0yRhHFoufD31k1wiK7VDaM0p9 gse54Y6o2nBKUtHN1ALfZETs2tBmPXRxXQdGqUPFT8DakCf2nAspjt/dwOlaiXkbEzvewPca 76ISVlnH93f1irBdyF3ZVN/ByISGKhXS71wsUb45RioLXzSLfiLCXGETkV4oCdiuRaBteeV+ e4OZpQDfOmJWzyGZxR1wm7X5VJM3ERXMAcp95+UVOTpcDALJHsq4XgAb7uDauoFSxhVnL0A3 MFUjS2LMJc7lqzUnu9mxTVU2OFQD2KwXuxKtmuwwE+8vl/CmQXiHlltb2Q3LD6FRRS9qorYU B5PLTr1qumuGjexxe701lU
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHY/4p9GINVmjprlEGx5iAuzyYE1a5NyDSAgABOFgCAAAXHgIAAAqyA
  • Thread-topic: [PATCH] tools/ocaml/xenctrl: OCaml 5 support, fix use-after-free
On 24/11/2022 14:03, Edwin Torok wrote:
>
>> On 24 Nov 2022, at 13:43, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx> wrote:
>>
>> On 24/11/2022 09:03, Edwin Torok wrote:
>>>> On 23 Nov 2022, at 22:25, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
>>>>
>>>> The binding for xc_interface_close() free the underlying handle while 
>>>> leaving
>>>> the Ocaml object still in scope and usable.  This would make it easy to 
>>>> suffer
>>>> a use-after-free, if it weren't for the fact that the typical usage is as a
>>>> singleton that lives for the lifetime of the program.
>>>>
>>>> Ocaml 5 no longer permits storing a naked C pointer in an Ocaml value.
>>>>
>>>> Therefore, use a Custom block.  This allows us to use the finaliser 
>>>> callback
>>>> to call xc_interface_close(), if the Ocaml object goes out of scope.
>>>>
>>>> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
>>>> ---
>>>> CC: Christian Lindig <christian.lindig@xxxxxxxxxx>
>>>> CC: David Scott <dave@xxxxxxxxxx>
>>>> CC: Edwin Torok <edvin.torok@xxxxxxxxxx>
>>>> CC: Rob Hoes <Rob.Hoes@xxxxxxxxxx>
>>>>
>>>> I've confirmed that Xenctrl.close_handle does cause the finaliser to be
>>>> called, simply by dropping the handle reference.
>>> Thanks, a good way to test this is with OCAMLRUNPARAM=c, possible under 
>>> valgrind, which causes all finalisers to be called on exit
>>> (normally they are not because the program is exiting anyway)
>> I do that anyway, but it's not relevant here.
>>
>> What matters is checking that calling close_handle releases the object
>> (albeit with a forced GC sweep) before the program ends.
>>
>>>> diff --git a/tools/ocaml/libs/xc/xenctrl_stubs.c 
>>>> b/tools/ocaml/libs/xc/xenctrl_stubs.c
>>>> index f37848ae0bb3..4e1204085422 100644
>>>> --- a/tools/ocaml/libs/xc/xenctrl_stubs.c
>>>> +++ b/tools/ocaml/libs/xc/xenctrl_stubs.c
>>>> @@ -37,13 +37,28 @@
>>>>
>>>> #include "mmap_stubs.h"
>>>>
>>>> -#define _H(__h) ((xc_interface *)(__h))
>>>> +#define _H(__h) (*((xc_interface **)Data_custom_val(__h)))
>>>> #define _D(__d) ((uint32_t)Int_val(__d))
>>> I think this requires an update in xenopsd too to match, otherwise it'll 
>>> crash:
>>> https://github.com/xapi-project/xenopsd/blob/master/c_stubs/xenctrlext_stubs.c#L32
>> Urgh.  I'll take a note to do that when bringing in the change.
>>
>>> This wasn't an issue with the original patch which used Data_abstract_val 
>>> here, because
>>> that (currently) happens to boil down to just a cast (with some GC metadata 
>>> *before* it),
>>> so the old way of just casting OCaml value to C pointer still worked.
>>>
>>> However Data_custom_val boils down to accessing a value at +sizeof(value) 
>>> offset,
>>> so xenopsd would now read the wrong pointer.
>>> Perhaps it would've been better to have this _H defined in some header, 
>>> otherwise extending Xenctrl the way xenopsd does it is quite brittle.
>> Exporting _H won't help because everything is statically built. 
>
> As long as you don't rebuilt xenopsd you will keep using the old C stubs that 
> xenopsd got compiled with, the change in Xen will have no effect until 
> xenopsd is recompiled,
> at which point it could pick up the new _H if available, but I agree with 
> your point below.
>
>
>> It's
>> brittle because xenopsd has got a local piece of C playing around with
>> the internals of someone else's library.  This violates more rules than
>> I care to list.
>>
>> We (XenServer) should definitely work to improve things, but this is
>> entirely a xenopsd problem, not an upstream Xen problem.
>
> It is a lot easier to add new xenctrl bindings and test them out in xenopsd 
> than it is to add them to Xen.
> We should try to either upstream all xenopsd xenctrl bindings to Xen, and 
> make it easier to add them to Xen going forward;
> or move all the Xenctrl bindings to xenopsd, then at least you only need to 
> rebuild the one piece you are changing.
>
> But to do the latter we first need to get everything that relies on xenctrl 
> to move to more stable interfaces (including oxenstored).
> There are some Mirage libraries as well that use xenctrl, when a more 
> suitable stable interface exists in newer versions of Xen that they should 
> use instead.
>
> Perhaps a compromise between the 2 extremes would be for xenopsd to open and 
> have its own xenctrl handle, even if that leads to some code duplication, it 
> would at least not rely on an undocumented and unstable internal detail of an 
> already unstable ABI. And that would still allow xenopsd to extend xenctrl 
> with bindings that are not (yet) present in Xen.
> What do you think?

Many of these problems will disappear with a stable tools interface. 
But yes, in the short term, xcext opening its own handle would
definitely improve things by keeping the two sets of bindings separate.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.