[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 02/10] xen/version: Introduce non-truncating deterministically-signed XENVER_* subops
- To: Stefano Stabellini <sstabellini@xxxxxxxxxx>
- From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Date: Wed, 16 Aug 2023 20:25:04 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WoSRE/6FJlL9EzDVNVmBwF59LvyqOcX4Ft5ztafqC9o=; b=PvnNlDR7hy/WynOg5NHfjt7+Kp87uFxafmPxdklJHiq0LMCtojn0K/X38d0OpGsoXH6q0LeIOlru6L/v6kofFS3KmdAAx/kN/X7Sk0bMMkwxrcVh7llb0y7KYOK+FU9XcM5ubaaXz4URSXVrm8u/lykeogvx+8/MhzYgW79fY+y0wsU3SDrpcBdtLs3+j626BknYHZMM+M9V2UAvMvzMyVt01/BLjXbUbDQH21xAg6YyytZjj3Sajpt+9hjj6gP8x3eWzoH1q6PZqAt5UcGjboeW5lGiU9U0f1bydmx3XhJkkNBFWOJ2TXKwxJuRwWlccmbWi7Us5v8AJNHT15zZsQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TRJKPV6dNt4xTYuDlP4GseqUDScvleRFhOaCBAVv0WLzFTf/BPuD9GwKolplINjZHn9G0mlfQQYHyByMHeDX1pExxdU6rrl6Y6P62g3riwzYz0S/xzre2iQMm909E2Xl2hUIOgumQgAA4XS0geATyrF4BSguIiEWeRCwYw0C07ogMSLjCGbnmaYDeiCfr3cAiEQ4ZQovdgEnR5HfaGJwOE+q51mTb8CDJNaPgtuotMQQSP0x+QPDFWlhUCPZij0p1bL+eEAbKfwdZq4NXkP0yDsuOFcqVSTL8eYF4DfceejUEmcNvL8bEWkxP9GuVURXPmB5cZipzo5XZhKZTcm3cw==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jason Andryuk <jandryuk@xxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>
- Delivery-date: Wed, 16 Aug 2023 19:25:37 +0000
- Ironport-data: A9a23:Aqq3la5xxq6W/5LuYqgpDgxRtJDGchMFZxGqfqrLsTDasY5as4F+v mMYXz+OM/ncMDOmfot3bYvj8k8D78eDz4M3QAJtrCFhHi5G8cbLO4+Ufxz6V8+wwm8vb2o8t plDNYOQRCwQZiWBzvt4GuG59RGQ7YnRGvynTraCYnsrLeNdYH9JoQp5nOIkiZJfj9G8Agec0 fv/uMSaM1K+s9JOGjt8B5mr9lU35ZwehBtC5gZlPaAS4geE/5UoJMl3yZ+ZfiOQrrZ8RoZWd 86bpJml82XQ+QsaC9/Nut4XpWVTH9Y+lSDX4pZnc/DKbipq/0Te4Y5iXBYoUm9Fii3hojxE4 I4lWapc6+seFvakdOw1C3G0GszlVEFM0OevzXOX6aR/w6BaGpdFLjoH4EweZOUlFuhL7W5m3 +0yOBQ/Xwm/h82Uka3rVdF3lNU6M5y+VG8fkikIITDxK98DGMmGaYOaoNhS0XE3m9xEGuvYa 4wBcz1zYR/cYhpJfFAKFJY5m+TujX76G9FagAvN+exrvC6OnEoojuiF3Nn9I7RmQe18mEqCq 32A1GP+GhwAb/SUyCaf82LqjejK9c/+cNtLRObmqKA22zV/wEQ6NUZGenfkh8CEjxCTYfZid GkGpHQX+P1aGEuDC4OVsweDiGWfohcWVt5UEus7wAKA0KzZ50CeHGdsZi5MbpkqudE7QRQu1 0SVhJX5CDp3qrqXRHmBsLCOoluaOyETIXUTeCwsQg4M4t2lq4Y25jrtZNt+FK++jvXuBCr9h TuNqUAWmLE7ncMNkaKh8jjvgS+op5XPZh444EPQRG3Nxg92aIOqfYWA9UnQ7fEGKp2QCFaGo hAsl9CF6eESDbmEjCGXXPgWB7at+uqENzvHx1VoGvEJ1zmr4W/lQolW7xl3PkIvOcEBEQIFe 2fWsAJVoZVVbH2jaPYuZ5rrUpp6i6/9Cd7iS/bYKMJUZYR8fxOG+ycoYlOM22fqkw4nlqRX1 YqnTPtAxE0yUcxPpAdajc9EuVP37kjSHV/ueK0=
- Ironport-hdrordr: A9a23:WpWhEq+wFAK1/ziI8bpuk+DWI+orL9Y04lQ7vn2ZKCY4TiX8ra uTdZsguiMc5Ax+ZJhDo7C90di7IE80nKQdieN9AV7IZniEhILHFvAG0aLShxHmBi3i5qp8+M 5bAsxD4QTLfDpHsfo=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 16/08/2023 8:07 pm, Stefano Stabellini wrote:
> On Wed, 16 Aug 2023, Andrew Cooper wrote:
>> On 16/08/2023 1:19 am, Stefano Stabellini wrote:
>>> On Tue, 15 Aug 2023, Andrew Cooper wrote:
>>>> @@ -498,6 +499,59 @@ static int __init cf_check param_init(void)
>>>>
>>>> + sz = strlen(str);
>>>> +
>>>> + if ( sz > KB(64) ) /* Arbitrary limit. Avoid long-running
>>>> operations. */
>>>> + return -E2BIG;
>>> Realistically do we want this buffer to cross page boundaries?
>> A 1-byte answer can cross a page boundary, even if the hypercall
>> argument is correctly aligned (and even that is unspecified in the Xen ABI).
>>
>> But importantly, this series is also prep work to fixing the cmdline
>> limit. 1k is already causing problems, and 64k is a whole lot less bad
>> than 4k when we enter such corner cases.
> OK. It is just that 64K seems *a lot* in this context. But if you have
> reasons to believe that 64K is a good number for this check then OK.
Remember that this is all Xen cross-checking (or reporting to the user)
the length of Xen-owned data.
If the system was only booted only 10 bytes of cmdline, this will only
be 10.
If OTOH there really was 5k of data, handing E2BIG to the user when they
ask for it is slightly rude but is infinitely better than just
truncating it and returning success.
64k is just the upper bounds sanity check for "get a developer to look
at what's going on because this probably isn't what you thought it
was". Eventually when someone does find a legitimate use for a cmdline
longer than 64k, it will need upping, someone (else) can figure out the
long-running-ness of this scenario.
~Andrew
|