From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C9CDC43331 for ; Wed, 1 Apr 2020 06:48:43 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 33F2A206EB for ; Wed, 1 Apr 2020 06:48:43 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 33F2A206EB Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1jJXAr-00070g-GA; Wed, 01 Apr 2020 06:48:29 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1jJXAq-00070a-Dl for xen-devel@lists.xenproject.org; Wed, 01 Apr 2020 06:48:28 +0000 X-Inumbo-ID: c9220a7b-73e4-11ea-ba7a-12813bfff9fa Received: from mx2.suse.de (unknown [195.135.220.15]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id c9220a7b-73e4-11ea-ba7a-12813bfff9fa; Wed, 01 Apr 2020 06:48:27 +0000 (UTC) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 65B45AAC7; Wed, 1 Apr 2020 06:48:26 +0000 (UTC) Subject: Re: [PATCH 1/8] xen/guest_access: Harden copy_to_guest_offset to prevent const dest operand To: Julien Grall References: <20200330192157.1335-1-julien@xen.org> <20200330192157.1335-2-julien@xen.org> <33a36f0e-5adb-b8af-445c-bab765c84589@suse.com> From: Jan Beulich Message-ID: <2ce142db-dd2d-4ef2-ee18-9d67d491e400@suse.com> Date: Wed, 1 Apr 2020 08:48:23 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Stefano Stabellini , Wei Liu , Andrew Cooper , Julien Grall , dfaggioli@suse.com, xen-devel@lists.xenproject.org, Volodymyr Babchuk , =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" On 31.03.2020 21:13, Julien Grall wrote: > On 31/03/2020 08:26, Jan Beulich wrote: >> On 30.03.2020 21:21, Julien Grall wrote: >>> From: Julien Grall >>> >>> At the moment, copy_to_guest_offset() will allow the hypervisor to copy >>> data to guest handle marked const. >>> >>> Thankfully, no users of the helper will do that. Rather than hoping this >>> can be caught during review, harden copy_to_guest_offset() so the build >>> will fail if such users are introduced. >> >> But there are other implications you break: >> >>> --- a/xen/include/asm-arm/guest_access.h >>> +++ b/xen/include/asm-arm/guest_access.h >>> @@ -126,7 +126,7 @@ int access_guest_memory_by_ipa(struct domain *d, paddr_t ipa, void *buf, >>>     #define __copy_to_guest_offset(hnd, off, ptr, nr) ({    \ >>>       const typeof(*(ptr)) *_s = (ptr);                   \ >>> -    char (*_d)[sizeof(*_s)] = (void *)(hnd).p;          \ >>> +    typeof(*((hnd).p)) *_d = (hnd).p;                   \ >>>       ((void)((hnd).p == (ptr)));                         \ >>>       __raw_copy_to_guest(_d+(off), _s, sizeof(*_s)*(nr));\ >> >> Until this change, it is "ptr" which all sizes get derived from, >> i.e. it is the internally used type rather than the handle type >> which controls this. I'm sure we use this in a few places, to >> copy to e.g. a handle derived from "void". Compatibility of types >> (disallowing other than void) is checked by the comparison on the >> line immediately after the line you change. Yes "_d+(off)" right >> above here then changes its result. I consider it pretty likely >> you'd notice this issue once you go beyond just build testing. > > I missed that part. To be honest, it feels wrong to me to have > "off" != 0 and use a void type for the handle. Would it make > sense to forbid it? I don't think so - the idea (aiui) has always been for the Xen internal object's type to control what gets copied, and hence a void handle is to be fine for both copy-in and copy-out. > As a side node, I have updated __copy_to_guest_offset() but > forgot to update copy_to_guest_offset(). I will look to apply > the modifications we agree on both side. Ah, sure. >> To address this, I guess we need to find an expression along the >> lines of that comparison, which does not cause any code to be >> generated, but which verifies the properties we care about. The >> line you change should be left alone, from all I can tell right >> now. > > I am not aware of any way before C11 to check if a variable is > const or not. If we wanted to keep allow void type the handle > then a possible approach would be: > > #define copy_to_guest_offset(hnd, off, ptr, nr) ({              \ >     const typeof(*(ptr)) *_s = (ptr);                           \ >     typeof(*((hnd).p)) *_d = (hnd).p;                           \ >     size_t mul = (sizeof(*(hnd).p) > 1) ? 1 : sizeof (*_s);     \ >     ((void)((hnd).p == (ptr)));                                 \ >     raw_copy_to_guest(_d + (off) * mul, _s, sizeof(*_s)*(nr));  \ > }) > > I don't particularly like it but I could not come up with better so far. Not very nice indeed, and the conditional expression - at the first glance being the wrong way round - seems outright confusing to me. I'll try to find time to experiment some with this as well, since unless we can find a reasonably neat solution here, I'm inclined to suggest to leave this as it is now. Jan