lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <99d14fe8-2f7a-6133-ced7-0ecec732d135@suse.com>
Date:   Tue, 6 Feb 2018 15:29:10 +0100
From:   Juergen Gross <jgross@...e.com>
To:     Joao Martins <joao.m.martins@...cle.com>,
        xen-devel@...ts.xenproject.org, linux-kernel@...r.kernel.org
Cc:     Boris Ostrovsky <boris.ostrovsky@...cle.com>,
        stable@...r.kernel.org
Subject: Re: [PATCH v2] xenbus: track caller request id

On 02/02/18 18:42, Joao Martins wrote:
> Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent
> xenstore accesses") optimized xenbus concurrent accesses but in doing so
> broke UABI of /dev/xen/xenbus. Through /dev/xen/xenbus applications are in
> charge of xenbus message exchange with the correct header and body. Now,
> after the mentioned commit the replies received by application will no
> longer have the header req_id echoed back as it was on request (see
> specification below for reference), because that particular field is being
> overwritten by kernel.
> 
> struct xsd_sockmsg
> {
>   uint32_t type;  /* XS_??? */
>   uint32_t req_id;/* Request identifier, echoed in daemon's response.  */
>   uint32_t tx_id; /* Transaction id (0 if not related to a transaction). */
>   uint32_t len;   /* Length of data following this. */
> 
>   /* Generally followed by nul-terminated string(s). */
> };
> 
> Before there was only one request at a time so req_id could simply be
> forwarded back and forth. To allow simultaneous requests we need a
> different req_id for each message thus kernel keeps a monotonic increasing
> counter for this field and is written on every request irrespective of
> userspace value.
> 
> Forwarding again the req_id on userspace requests is not a solution because
> we would open the possibility of userspace-generated req_id colliding with
> kernel ones. So this patch instead takes another route which is to
> artificially keep user req_id while keeping the xenbus logic as is. We do
> that by saving the original req_id before xs_send(), use the private kernel
> counter as req_id and then once reply comes and was validated, we restore
> back the original req_id.
> 
> Cc: <stable@...r.kernel.org> # 4.11
> Fixes: fd8aa9095a ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
> Reported-by: Bhavesh Davda <bhavesh.davda@...cle.com>
> Signed-off-by: Joao Martins <joao.m.martins@...cle.com>

Reviewed-by: Juergen Gross <jgross@...e.com>


Juergen

> ---
> Here's a link to a unit test (https://pastebin.com/2q51j2sR) where req_id of
> reply and response are being asserted each request. Without this patch
> the assert will fail (e.g. try it with `./xswire_reqid_test name`). But
> on <= v4.10 or >= v4.11 with the fix above, it will print domain name 10
> times.
> 
> Changes since v1:
>  * Adjust commit message
>  (Comments from Juergen on IRC)
>  * Unilateraly save/restore req_id and remove xs_request_is_user()
>  * Initialize req_id for kernel callers
> ---
>  drivers/xen/xenbus/xenbus.h       | 1 +
>  drivers/xen/xenbus/xenbus_comms.c | 1 +
>  drivers/xen/xenbus/xenbus_xs.c    | 3 +++
>  3 files changed, 5 insertions(+)
> 
> diff --git a/drivers/xen/xenbus/xenbus.h b/drivers/xen/xenbus/xenbus.h
> index 149c5e7efc89..092981171df1 100644
> --- a/drivers/xen/xenbus/xenbus.h
> +++ b/drivers/xen/xenbus/xenbus.h
> @@ -76,6 +76,7 @@ struct xb_req_data {
>  	struct list_head list;
>  	wait_queue_head_t wq;
>  	struct xsd_sockmsg msg;
> +	uint32_t caller_req_id;
>  	enum xsd_sockmsg_type type;
>  	char *body;
>  	const struct kvec *vec;
> diff --git a/drivers/xen/xenbus/xenbus_comms.c b/drivers/xen/xenbus/xenbus_comms.c
> index 5b081a01779d..d239fc3c5e3d 100644
> --- a/drivers/xen/xenbus/xenbus_comms.c
> +++ b/drivers/xen/xenbus/xenbus_comms.c
> @@ -309,6 +309,7 @@ static int process_msg(void)
>  			goto out;
>  
>  		if (req->state == xb_req_state_wait_reply) {
> +			req->msg.req_id = req->caller_req_id;
>  			req->msg.type = state.msg.type;
>  			req->msg.len = state.msg.len;
>  			req->body = state.body;
> diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
> index 3e59590c7254..3f3b29398ab8 100644
> --- a/drivers/xen/xenbus/xenbus_xs.c
> +++ b/drivers/xen/xenbus/xenbus_xs.c
> @@ -227,6 +227,8 @@ static void xs_send(struct xb_req_data *req, struct xsd_sockmsg *msg)
>  	req->state = xb_req_state_queued;
>  	init_waitqueue_head(&req->wq);
>  
> +	/* Save the caller req_id and restore it later in the reply */
> +	req->caller_req_id = req->msg.req_id;
>  	req->msg.req_id = xs_request_enter(req);
>  
>  	mutex_lock(&xb_write_mutex);
> @@ -310,6 +312,7 @@ static void *xs_talkv(struct xenbus_transaction t,
>  	req->num_vecs = num_vecs;
>  	req->cb = xs_wake_up;
>  
> +	msg.req_id = 0;
>  	msg.tx_id = t.id;
>  	msg.type = type;
>  	msg.len = 0;
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ