From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.3 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A906CC4361B for ; Fri, 18 Dec 2020 09:09:24 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4861423A5B for ; Fri, 18 Dec 2020 09:09:24 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4861423A5B Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=suse.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Received: from list by lists.xenproject.org with outflank-mailman.56408.98772 (Exim 4.92) (envelope-from ) id 1kqBl6-0004dX-Ef; Fri, 18 Dec 2020 09:09:08 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 56408.98772; Fri, 18 Dec 2020 09:09:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kqBl6-0004dQ-Av; Fri, 18 Dec 2020 09:09:08 +0000 Received: by outflank-mailman (input) for mailman id 56408; Fri, 18 Dec 2020 09:09:07 +0000 Received: from all-amaz-eas1.inumbo.com ([34.197.232.57] helo=us1-amaz-eas2.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1kqBl4-0004dL-Ub for xen-devel@lists.xenproject.org; Fri, 18 Dec 2020 09:09:06 +0000 Received: from mx2.suse.de (unknown [195.135.220.15]) by us1-amaz-eas2.inumbo.com (Halon) with ESMTPS id bb64db33-986e-4335-82ca-83f414eae4bb; Fri, 18 Dec 2020 09:09:05 +0000 (UTC) Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id E30EBABC6; Fri, 18 Dec 2020 09:09:04 +0000 (UTC) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: bb64db33-986e-4335-82ca-83f414eae4bb X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1608282545; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TlK/cy7eG1Ho9xGe3WQnmVXfDIiuGqzGtZsbeGKxqHk=; b=kIDeHH+jwrWb4d9jKnhVpwOFt6qoAX/Hsgf2rNruJgW3FSTXlj/B/8HAkXWxz57gyRnuCO n1QPOzejY3w7eYkbQi+iwFdEu+RR6vwODSpksQ+6zXgthckvqPYmTrNm/E00bC9dQ+ltkK aPNbylh2V/kaNd9snNu6jaTOyZcAT+I= Subject: Re: [PATCH v3 5/8] xen/hypfs: add support for id-based dynamic directories To: =?UTF-8?B?SsO8cmdlbiBHcm/Dnw==?= Cc: Andrew Cooper , George Dunlap , Ian Jackson , Julien Grall , Stefano Stabellini , Wei Liu , xen-devel@lists.xenproject.org References: <20201209160956.32456-1-jgross@suse.com> <20201209160956.32456-6-jgross@suse.com> <2894a231-9150-7c09-cc5c-7ef52087acf5@suse.com> <5e0ac85e-ecba-86ad-b350-ff30e3a40a68@suse.com> From: Jan Beulich Message-ID: Date: Fri, 18 Dec 2020 10:09:05 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit On 18.12.2020 09:57, Jürgen Groß wrote: > On 17.12.20 13:14, Jan Beulich wrote: >> On 17.12.2020 12:32, Jürgen Groß wrote: >>> On 17.12.20 12:28, Jan Beulich wrote: >>>> On 09.12.2020 17:09, Juergen Gross wrote: >>>>> +static const struct hypfs_entry *hypfs_dyndir_enter( >>>>> + const struct hypfs_entry *entry) >>>>> +{ >>>>> + const struct hypfs_dyndir_id *data; >>>>> + >>>>> + data = hypfs_get_dyndata(); >>>>> + >>>>> + /* Use template with original enter function. */ >>>>> + return data->template->e.funcs->enter(&data->template->e); >>>>> +} >>>> >>>> At the example of this (applies to other uses as well): I realize >>>> hypfs_get_dyndata() asserts that the pointer is non-NULL, but >>>> according to the bottom of ./CODING_STYLE this may not be enough >>>> when considering the implications of a NULL deref in the context >>>> of a PV guest. Even this living behind a sysctl doesn't really >>>> help, both because via XSM not fully privileged domains can be >>>> granted access, and because speculation may still occur all the >>>> way into here. (I'll send a patch to address the latter aspect in >>>> a few minutes.) While likely we have numerous existing examples >>>> with similar problems, I guess in new code we'd better be as >>>> defensive as possible. >>> >>> What do you suggest? BUG_ON()? >> >> Well, BUG_ON() would be a step in the right direction, converting >> privilege escalation to DoS. The question is if we can't do better >> here, gracefully failing in such a case (the usual pair of >> ASSERT_UNREACHABLE() plus return/break/goto approach doesn't fit >> here, at least not directly). >> >>> You are aware that this is nothing a user can influence, so it would >>> be a clear coding error in the hypervisor? >> >> A user (or guest) can't arrange for there to be a NULL pointer, >> but if there is one that can be run into here, this would still >> require an XSA afaict. > > I still don't see how this could happen without a major coding bug, > which IMO wouldn't go unnoticed during a really brief test (this is > the reason for ASSERT() in hypfs_get_dyndata() after all). True. Yet the NULL derefs wouldn't go unnoticed either. > Its not as if the control flow would allow many different ways to reach > any of the hypfs_get_dyndata() calls. I'm not convinced of this - this is a non-static function, and the call patch 8 adds (just to take an example) is not very obvious to have a guarantee that allocation did happen and was checked for success. Yes, in principle cpupool_gran_write() isn't supposed to be called in such a case, but it's the nature of bugs assumptions get broken. > I can add security checks at the appropriate places, but I think this > would be just dead code. OTOH if you are feeling strong here lets go > with it. Going with it isn't the only possible route. The other is to drop the ASSERT()s altogether. It simply seems to me that their addition is a half-hearted attempt when considering what was added to ./CODING_STYLE not all that long ago. Jan