[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 4/6] xen/livepatch: do Xen build-id check earlier

On Wed, Sep 25, 2024 at 11:21:01AM +0100, Andrew Cooper wrote:
> On 25/09/2024 9:42 am, Roger Pau Monne wrote:
> > The check against the expected Xen build ID should be done ahead of 
> > attempting
> > to apply the alternatives contained in the livepatch.
> >
> > If the CPUID in the alternatives patching data is out of the scope of the
> > running Xen featureset the BUG() in _apply_alternatives() will trigger thus
> > bringing the system down.  Note the layout of struct alt_instr could also
> > change between versions.  It's also possible for struct 
> > exception_table_entry
> > to have changed format, hence leading to other kind of errors if parsing of 
> > the
> > payload is done ahead of checking if the Xen build-id matches.
> >
> > Move the Xen build ID check as early as possible.  To do so introduce a new
> > check_xen_buildid() function that parses and checks the Xen build-id before
> > moving the payload.  Since the expected Xen build-id is used early to
> > detect whether the livepatch payload could be loaded, there's no reason to
> > store it in the payload struct, as a non-matching Xen build-id won't get the
> > payload populated in the first place.
> >
> > Note parse_buildid() has to be slightly adjusted to allow fetching the 
> > section
> > data from the 'data' field instead of the 'load_addr' one: with the Xen 
> > build
> > ID moved ahead of move_payload() 'load_addr' is not yet set when the Xen 
> > build
> > ID check is performed.  Also printing the expected Xen build ID has part of
> > dumping the payload is no longer done, as all loaded payloads would have Xen
> > build IDs matching the running Xen, otherwise they would have failed to 
> > load.
> >
> > Fixes: 879615f5db1d ('livepatch: Always check hypervisor build ID upon 
> > livepatch upload')
> > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
> 
> Much nicer.  A couple of suggestions.
> 
> > ---
> > Changes since v1:
> >  - Do the Xen build-id check even earlier.
> > ---
> >  xen/common/livepatch.c              | 66 +++++++++++++++++++----------
> >  xen/include/xen/livepatch_payload.h |  1 -
> >  2 files changed, 44 insertions(+), 23 deletions(-)
> >
> > diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c
> > index 8e61083f23a7..895c425cd5ea 100644
> > --- a/xen/common/livepatch.c
> > +++ b/xen/common/livepatch.c
> > @@ -448,24 +448,21 @@ static bool section_ok(const struct livepatch_elf 
> > *elf,
> >      return true;
> >  }
> >  
> > -static int xen_build_id_dep(const struct payload *payload)
> > +static int xen_build_id_dep(const struct livepatch_build_id *expected)
> >  {
> >      const void *id = NULL;
> >      unsigned int len = 0;
> >      int rc;
> >  
> > -    ASSERT(payload->xen_dep.len);
> > -    ASSERT(payload->xen_dep.p);
> > +    ASSERT(expected->len);
> > +    ASSERT(expected->p);
> >  
> >      rc = xen_build_id(&id, &len);
> >      if ( rc )
> >          return rc;
> >  
> > -    if ( payload->xen_dep.len != len || memcmp(id, payload->xen_dep.p, 
> > len) ) {
> > -        printk(XENLOG_ERR LIVEPATCH "%s: check against hypervisor build-id 
> > failed\n",
> > -               payload->name);
> > +    if ( expected->len != len || memcmp(id, expected->p, len) )
> >          return -EINVAL;
> > -    }
> 
> I'd suggest merging this into check_xen_buildid(), which is the single
> caller and serves the same singular purpose.
> 
> It removes the ASSERT() (expected is now a local variable), and it helps
> with some diagnostic improvements.

Sure.

> >  
> >      return 0;
> >  }
> > @@ -495,11 +493,44 @@ static int parse_buildid(const struct 
> > livepatch_elf_sec *sec,
> >     return 0;
> >  }
> >  
> > +static int check_xen_buildid(const struct livepatch_elf *elf)
> > +{
> > +    struct livepatch_build_id id;
> > +    const struct livepatch_elf_sec *sec =
> > +        livepatch_elf_sec_by_name(elf, ELF_LIVEPATCH_XEN_DEPENDS);
> > +    int rc;
> > +
> > +    if ( !sec )
> > +    {
> > +        printk(XENLOG_ERR LIVEPATCH "%s: %s is missing\n",
> 
> "%s: Section: '%s' missing\n".
> 
> (Maybe no single quotes around the section as we know it's non-empty.)
> 
> > +               elf->name, ELF_LIVEPATCH_XEN_DEPENDS);
> > +        return -EINVAL;
> > +    }
> > +
> > +    rc = parse_buildid(sec, &id);
> > +    if ( rc )
> > +    {
> > +        printk(XENLOG_ERR LIVEPATCH "%s: failed to parse build-id at %s: 
> > %d\n",
> 
> "%s: Failed to parse section '%s' as build id: %d\n".
> 
> > +               elf->name, ELF_LIVEPATCH_XEN_DEPENDS, rc);
> > +        return -EINVAL;
> > +    }
> > +
> > +    rc = xen_build_id_dep(&id);
> > +    if ( rc )
> > +    {
> > +        printk(XENLOG_ERR LIVEPATCH
> > +               "%s: check against hypervisor build-id failed: %d\n",
> 
> "%s: build-id mismatch:\n"
> "  livepatch: %*phN\n"
> "        xen: %*phN\n"
> 
> This needs xen_build_id_dep() inlining in order to have the xen build-id
> string, but the end result is much more informative.
> 
> I think I'm happy doing all of this on commit, but it might be a better
> idea not to.

No problem, I can send a v3.

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.