From: "Jan Beulich" <JBeulich@suse.com>
To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Keir Fraser <keir@xen.org>,
ross.lagerwall@citrix.com, andrew.cooper3@citrix.com,
Ian Jackson <ian.jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>,
mpohlack@amazon.de, sasha.levin@oracle.com,
xen-devel@lists.xenproject.org
Subject: Re: [PATCH v9 10/27] xsplice: Add helper elf routines
Date: Tue, 26 Apr 2016 06:37:14 -0600 [thread overview]
Message-ID: <571F7D1A02000078000E5D4E@prv-mh.provo.novell.com> (raw)
In-Reply-To: <1461598514-5440-11-git-send-email-konrad.wilk@oracle.com>
>>> On 25.04.16 at 17:34, <konrad.wilk@oracle.com> wrote:
> From: Ross Lagerwall <ross.lagerwall@citrix.com>
>
> Add Elf routines and data structures in preparation for loading an
> xSplice payload.
>
> We make an assumption that the max number of sections an ELF payload
> can have is 64. We can in future make this be dependent on the
> names of the sections and verifying against a list, but for right now
> this suffices.
>
> Also we a whole lot of checks to make sure that the ELF payload
> file is not corrupted nor that the offsets point past the file.
>
> For most of the checks we print an message if the hypervisor is built
> with debug enabled.
>
> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
> Reviewed-by: Andrew Cooper<andrew.cooper3@citrix.com>
Again ...
> v9: Changed elf_verify_strtab to use const char and return EINVAL.
> Remove 'if ( !delta )' check in elf_resolve_sections
> Remove stale comments.
> Fixed one off check against sh_link.
> Document boundary checks against shstrtab and symtab.
> Fixed return codes in xsplice_header_check.
> Add check for sections to not be within ELF header.
> Added overflow check for e_shoff in xsplice_header_check.
> Moved XSPLICE macro by four tabs.
> Make ->sym be const.
... way too many changes for pre-existing tags to stay, at least
for my taste.
> +static int elf_resolve_sections(struct xsplice_elf *elf, const void *data)
> +{
> + struct xsplice_elf_sec *sec;
> + unsigned int i;
> + Elf_Off delta;
> + int rc;
> +
> + /* xsplice_elf_load sanity checked e_shnum. */
> + sec = xmalloc_array(struct xsplice_elf_sec, elf->hdr->e_shnum);
> + if ( !sec )
> + {
> + dprintk(XENLOG_ERR, XSPLICE"%s: Could not allocate memory for section table!\n",
> + elf->name);
> + return -ENOMEM;
> + }
> +
> + elf->sec = sec;
> +
> + /* e_shoff and e_shnum overflow checks are done in xsplice_header_check. */
> + delta = elf->hdr->e_shoff + elf->hdr->e_shnum * elf->hdr->e_shentsize;
The added comment just helps make obvious that the overflow I
believe Andrew was worried about is still not being taken care of:
All xsplice_header_check() does is range check the two values
mentioned in the comment. But I agree that a proper range check
(at once eliminating overflow concerns for the arithmetic here)
would better live there (and also see there).
> + if ( delta > elf->len )
> + {
> + dprintk(XENLOG_ERR, XSPLICE "%s: Section table is past end of payload!\n",
> + elf->name);
> + return -EINVAL;
> + }
> +
> + for ( i = 1; i < elf->hdr->e_shnum; i++ )
> + {
> + delta = elf->hdr->e_shoff + i * elf->hdr->e_shentsize;
> +
> + sec[i].sec = data + delta;
> +
> + delta = sec[i].sec->sh_offset;
> + /*
> + * N.B. elf_resolve_section_names, elf_get_sym skip this check as
> + * we do it here.
> + */
> + if ( delta < sizeof(Elf_Ehdr) ||
> + (delta + sec[i].sec->sh_size > elf->len) )
The second half of the check needs to be skipped for SHT_NOBITS
sections. And beware of overflow again - both addends alone may
be too large, but the sum may be within range.
> +static int elf_get_sym(struct xsplice_elf *elf, const void *data)
> +{
> + const struct xsplice_elf_sec *symtab_sec, *strtab_sec;
> + struct xsplice_elf_sym *sym;
> + unsigned int i, delta, offset, nsym;
> +
> + symtab_sec = elf->symtab;
> + strtab_sec = elf->strtab;
> +
> + /* Pointers arithmetic to get file offset. */
> + offset = strtab_sec->data - data;
> +
> + /* Checked already in elf_resolve_sections, but just in case. */
> + ASSERT(offset == strtab_sec->sec->sh_offset);
> + ASSERT(offset < elf->len && (offset + strtab_sec->sec->sh_size <= elf->len));
> +
> + /* symtab_sec->data was computed in elf_resolve_sections. */
> + ASSERT((symtab_sec->sec->sh_offset + data) == symtab_sec->data);
> +
> + /* No need to check values as elf_resolve_sections did it. */
> + nsym = symtab_sec->sec->sh_size / symtab_sec->sec->sh_entsize;
> +
> + sym = xmalloc_array(struct xsplice_elf_sym, nsym);
> + if ( !sym )
> + {
> + dprintk(XENLOG_ERR, XSPLICE "%s: Could not allocate memory for symbols\n",
> + elf->name);
> + return -ENOMEM;
> + }
> +
> + /* So we don't leak memory. */
> + elf->sym = sym;
> +
> + for ( i = 1; i < nsym; i++ )
> + {
> + Elf_Sym *s = &((Elf_Sym *)symtab_sec->data)[i];
I'm sorry for not spotting this earlier, but the calculation here needs
to follow that of the section pointers into the section table, i.e. use
symtab_sec->sec->sh_entsize (which afaict at once will allow getting
rid of the cast, and which I guess will make obvious that this lacks a
const qualifier).
> + delta = s->st_name;
> + /* Boundary check within the .strtab. */
> + if ( delta > strtab_sec->sec->sh_size )
>= (just like in elf_resolve_section_names())
> + {
> + dprintk(XENLOG_ERR, XSPLICE "%s: Symbol [%u] data is past end of payload!\n",
Message text does not match context (also in
elf_resolve_section_names() as I now see).
> + elf->name, i);
> + return -EINVAL;
> + }
> +
> + sym[i].sym = s;
> + sym[i].name = data + (delta + offset);
I think this
sym[i].name = strtab_sec->data + delta;
would be more obvious to the reader.
> +static int xsplice_header_check(const struct xsplice_elf *elf)
> +{
> + const Elf_Ehdr *hdr = elf->hdr;
> +
> + if ( sizeof(*elf->hdr) > elf->len )
> + {
> + dprintk(XENLOG_ERR, XSPLICE "%s: Section header is bigger than payload!\n",
> + elf->name);
> + return -EINVAL;
> + }
> +
> + if ( !IS_ELF(*hdr) )
> + {
> + dprintk(XENLOG_ERR, XSPLICE "%s: Not an ELF payload!\n", elf->name);
> + return -EINVAL;
> + }
> +
> + if ( hdr->e_ident[EI_CLASS] != ELFCLASS64 ||
> + hdr->e_ident[EI_DATA] != ELFDATA2LSB ||
> + hdr->e_ident[EI_OSABI] != ELFOSABI_SYSV ||
What about EI_VERSION and EI_ABIVERSION, btw?
> + hdr->e_type != ET_REL ||
> + hdr->e_phnum != 0 )
> + {
> + dprintk(XENLOG_ERR, XSPLICE "%s: Invalid ELF payload!\n", elf->name);
> + return -EOPNOTSUPP;
> + }
> +
> + if ( elf->hdr->e_shstrndx == SHN_UNDEF )
> + {
> + dprintk(XENLOG_ERR, XSPLICE "%s: Section name idx is undefined!?\n",
> + elf->name);
> + return -EINVAL;
> + }
> +
> + /* Check that section name index is within the sections. */
> + if ( elf->hdr->e_shstrndx >= elf->hdr->e_shnum )
> + {
> + dprintk(XENLOG_ERR, XSPLICE "%s: Section name idx (%u) is past end of sections (%u)!\n",
> + elf->name, elf->hdr->e_shstrndx, elf->hdr->e_shnum);
> + return -EINVAL;
> + }
> +
> + if ( elf->hdr->e_shnum > 64 )
> + {
> + dprintk(XENLOG_ERR, XSPLICE "%s: Too many (%u) sections!\n",
> + elf->name, elf->hdr->e_shnum);
> + return -EOPNOTSUPP;
> + }
> +
> + if ( elf->hdr->e_shoff > ULONG_MAX )
Why not ">= elf->len" (and I see it was almost that way in v8.1)?
And then followed (further down) by another check taking
elf->hdr->e_shnum * elf->hdr->e_shentsize into account (of
course as things stand now, elf->hdr->e_shentsize can also be
arbitrarily large, so this would need to be suitably structured
- e.g. "(elf->len - elf->hdr->e_shoff) / elf->hdr->e_shentsize <
elf->hdr->e_shnum").
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-04-26 12:37 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-25 15:34 [PATCH 9] xSplice v1 design and implementation Konrad Rzeszutek Wilk
2016-04-25 15:34 ` [PATCH v9 01/27] Revert "libxc/libxl/python/xenstat/ocaml: Use new XEN_VERSION hypercall" Konrad Rzeszutek Wilk
2016-04-25 15:48 ` Jan Beulich
2016-04-25 15:53 ` Wei Liu
2016-04-25 15:34 ` [PATCH v9 02/27] Revert "HYPERCALL_version_op. New hypercall mirroring XENVER_ but sane." Konrad Rzeszutek Wilk
2016-04-25 15:34 ` [PATCH v9 03/27] xsplice: Design document Konrad Rzeszutek Wilk
2016-04-25 15:34 ` [PATCH v9 04/27] xen/xsplice: Hypervisor implementation of XEN_XSPLICE_op Konrad Rzeszutek Wilk
2016-04-26 7:48 ` Ross Lagerwall
2016-04-26 7:52 ` Ross Lagerwall
2016-04-26 10:21 ` Jan Beulich
2016-04-26 17:50 ` Konrad Rzeszutek Wilk
2016-04-27 6:51 ` Jan Beulich
2016-04-27 13:47 ` Konrad Rzeszutek Wilk
2016-04-27 14:11 ` Jan Beulich
2016-04-25 15:34 ` [PATCH v9 05/27] libxc: Implementation of XEN_XSPLICE_op in libxc Konrad Rzeszutek Wilk
2016-04-26 7:51 ` Ross Lagerwall
2016-04-25 15:34 ` [PATCH v9 06/27] xen-xsplice: Tool to manipulate xsplice payloads Konrad Rzeszutek Wilk
2016-04-26 7:49 ` Ross Lagerwall
2016-04-25 15:34 ` [PATCH v9 07/27] arm/x86: Use struct virtual_region to do bug, symbol, and (x86) exception tables lookup Konrad Rzeszutek Wilk
2016-04-26 10:31 ` Jan Beulich
2016-04-25 15:34 ` [PATCH v9 08/27] arm/x86/vmap: Add v[z|m]alloc_xen and vm_init_type Konrad Rzeszutek Wilk
2016-04-26 10:47 ` Jan Beulich
2016-04-27 2:38 ` Konrad Rzeszutek Wilk
2016-04-27 7:12 ` Jan Beulich
2016-04-27 13:46 ` Konrad Rzeszutek Wilk
2016-04-27 14:15 ` Jan Beulich
2016-04-25 15:34 ` [PATCH v9 09/27] x86/mm: Introduce modify_xen_mappings() Konrad Rzeszutek Wilk
2016-04-25 15:34 ` [PATCH v9 10/27] xsplice: Add helper elf routines Konrad Rzeszutek Wilk
2016-04-26 10:05 ` Ross Lagerwall
2016-04-26 11:52 ` Jan Beulich
2016-04-26 12:37 ` Jan Beulich [this message]
2016-04-27 1:59 ` Konrad Rzeszutek Wilk
2016-04-27 7:27 ` Jan Beulich
2016-04-27 14:00 ` Konrad Rzeszutek Wilk
2016-04-27 4:06 ` Konrad Rzeszutek Wilk
2016-04-27 7:52 ` Jan Beulich
2016-04-27 18:45 ` Konrad Rzeszutek Wilk
2016-04-25 15:34 ` [PATCH v9 11/27] xsplice: Implement payload loading Konrad Rzeszutek Wilk
2016-04-26 10:48 ` Ross Lagerwall
2016-04-26 13:39 ` Jan Beulich
2016-04-27 1:47 ` Konrad Rzeszutek Wilk
2016-04-27 7:57 ` Jan Beulich
2016-04-27 3:28 ` Konrad Rzeszutek Wilk
2016-04-27 8:28 ` Jan Beulich
2016-04-27 15:48 ` Konrad Rzeszutek Wilk
2016-04-27 16:06 ` Jan Beulich
2016-04-27 16:14 ` Jan Beulich
2016-04-27 18:40 ` Konrad Rzeszutek Wilk
2016-04-25 15:34 ` [PATCH v9 12/27] xsplice: Implement support for applying/reverting/replacing patches Konrad Rzeszutek Wilk
2016-04-26 15:21 ` Jan Beulich
2016-04-27 3:39 ` Konrad Rzeszutek Wilk
2016-04-27 8:36 ` Jan Beulich
2016-05-11 9:51 ` Martin Pohlack
2016-05-11 13:56 ` Konrad Rzeszutek Wilk
2016-04-25 15:35 ` [PATCH v9 13/27] x86/xen_hello_world.xsplice: Test payload for patching 'xen_extra_version' Konrad Rzeszutek Wilk
2016-04-26 15:31 ` Jan Beulich
2016-04-25 15:35 ` [PATCH v9 14/27] xsplice, symbols: Implement symbol name resolution on address Konrad Rzeszutek Wilk
2016-04-26 15:48 ` Jan Beulich
2016-04-25 15:35 ` [PATCH v9 15/27] xsplice, symbols: Implement fast symbol names -> virtual addresses lookup Konrad Rzeszutek Wilk
2016-04-26 15:53 ` Jan Beulich
2016-04-25 15:35 ` [PATCH v9 16/27] x86, xsplice: Print payload's symbol name and payload name in backtraces Konrad Rzeszutek Wilk
2016-04-26 11:06 ` Ross Lagerwall
2016-04-26 12:41 ` Jan Beulich
2016-04-26 12:48 ` Ross Lagerwall
2016-04-26 13:41 ` Jan Beulich
2016-04-27 3:31 ` Konrad Rzeszutek Wilk
2016-04-27 8:37 ` Jan Beulich
2016-04-25 15:35 ` [PATCH v9 17/27] xsplice: Add support for bug frames Konrad Rzeszutek Wilk
2016-04-26 11:05 ` Ross Lagerwall
2016-04-26 13:08 ` Ross Lagerwall
2016-04-26 15:58 ` Jan Beulich
2016-04-25 15:35 ` [PATCH v9 18/27] xsplice: Add support for exception tables Konrad Rzeszutek Wilk
2016-04-26 16:01 ` Jan Beulich
2016-04-25 15:35 ` [PATCH v9 19/27] xsplice: Add support for alternatives Konrad Rzeszutek Wilk
2016-04-27 8:58 ` Jan Beulich
2016-04-25 15:35 ` [PATCH v9 20/27] build_id: Provide ld-embedded build-ids Konrad Rzeszutek Wilk
2016-04-25 15:35 ` [PATCH v9 21/27] xsplice: Print build_id in keyhandler and on bootup Konrad Rzeszutek Wilk
2016-04-25 15:35 ` [PATCH v9 22/27] XENVER_build_id/libxc: Provide ld-embedded build-id Konrad Rzeszutek Wilk
2016-04-25 15:35 ` [PATCH v9 23/27] libxl: info: Display build_id of the hypervisor Konrad Rzeszutek Wilk
2016-04-25 15:35 ` [PATCH v9 24/27] xsplice: Stacking build-id dependency checking Konrad Rzeszutek Wilk
2016-04-27 9:27 ` Jan Beulich
2016-04-27 16:36 ` Konrad Rzeszutek Wilk
2016-04-28 9:47 ` Jan Beulich
2016-04-25 15:35 ` [PATCH v9 25/27] xsplice/xen_replace_world: Test-case for XSPLICE_ACTION_REPLACE Konrad Rzeszutek Wilk
2016-04-25 15:35 ` [PATCH v9 26/27] xsplice: Prevent duplicate payloads from being loaded Konrad Rzeszutek Wilk
2016-04-27 9:31 ` Jan Beulich
2016-04-25 15:35 ` [PATCH v9 27/27] MAINTAINERS/xsplice: Add myself and Ross as the maintainers Konrad Rzeszutek Wilk
2016-04-25 15:41 ` [PATCH 9] xSplice v1 design and implementation Jan Beulich
2016-04-25 15:47 ` Konrad Rzeszutek Wilk
2016-04-25 15:54 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=571F7D1A02000078000E5D4E@prv-mh.provo.novell.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=keir@xen.org \
--cc=konrad.wilk@oracle.com \
--cc=mpohlack@amazon.de \
--cc=ross.lagerwall@citrix.com \
--cc=sasha.levin@oracle.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).