| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <44403efe-a850-b53b-785f-6f5c73eb2b96@suse.com>
Date: Thu, 18 Nov 2021 06:32:03 +0100
From: Juergen Gross <jgross@...e.com>
To: Stefano Stabellini <sstabellini@...nel.org>,
Jan Beulich <jbeulich@...e.com>
Cc: boris.ostrovsky@...cle.com, xen-devel@...ts.xenproject.org,
linux-kernel@...r.kernel.org,
Stefano Stabellini <stefano.stabellini@...inx.com>,
stable@...r.kernel.org
Subject: Re: [PATCH] xen: detect uninitialized xenbus in xenbus_init
On 18.11.21 03:37, Stefano Stabellini wrote:
> On Wed, 17 Nov 2021, Jan Beulich wrote:
>> On 17.11.2021 03:11, Stefano Stabellini wrote:
>>> --- a/drivers/xen/xenbus/xenbus_probe.c
>>> +++ b/drivers/xen/xenbus/xenbus_probe.c
>>> @@ -951,6 +951,18 @@ static int __init xenbus_init(void)
>>> err = hvm_get_parameter(HVM_PARAM_STORE_PFN, &v);
>>> if (err)
>>> goto out_error;
>>> + /*
>>> + * Uninitialized hvm_params are zero and return no error.
>>> + * Although it is theoretically possible to have
>>> + * HVM_PARAM_STORE_PFN set to zero on purpose, in reality it is
>>> + * not zero when valid. If zero, it means that Xenstore hasn't
>>> + * been properly initialized. Instead of attempting to map a
>>> + * wrong guest physical address return error.
>>> + */
>>> + if (v == 0) {
>>> + err = -ENOENT;
>>> + goto out_error;
>>> + }
>>
>> If such a check gets added, then I think known-invalid frame numbers
>> should be covered at even higher a priority than zero.
>
> Uhm, that's a good point. We could check for 0 and also ULONG_MAX
>
>
>> This would, for example, also mean to ...
>>
>>> xen_store_gfn = (unsigned long)v;
>>
>> ... stop silently truncating a value here.
>
> Yeah, it can only happen on 32-bit but you have a point.
>
>
>> By covering them we would then have the option to pre-fill PFN params
>> with, say, ~0 in the hypervisor (to clearly identify them as invalid,
>> rather than having to guess at the validity of 0). I haven't really
>> checked yet whether such a change would be compatible with existing
>> software ...
>
> I had the same idea. I think the hvm_params should be initialized to an
> invalid value in Xen. But here in Linux we need to be able to cope with
> older Xen versions too so it still makes sense to check for zero in
> places where it is very obviously incorrect (HVM_PARAM_STORE_PFN).
>
>
> What do you think of the appended?
>
>
>
> diff --git a/drivers/xen/xenbus/xenbus_probe.c b/drivers/xen/xenbus/xenbus_probe.c
> index 94405bb3829e..04558d3a5562 100644
> --- a/drivers/xen/xenbus/xenbus_probe.c
> +++ b/drivers/xen/xenbus/xenbus_probe.c
> @@ -951,6 +951,28 @@ static int __init xenbus_init(void)
> err = hvm_get_parameter(HVM_PARAM_STORE_PFN, &v);
> if (err)
> goto out_error;
> + /*
> + * Return error on an invalid value.
> + *
> + * Uninitialized hvm_params are zero and return no error.
> + * Although it is theoretically possible to have
> + * HVM_PARAM_STORE_PFN set to zero on purpose, in reality it is
> + * not zero when valid. If zero, it means that Xenstore hasn't
> + * been properly initialized. Instead of attempting to map a
> + * wrong guest physical address return error.
> + */
> + if (v == 0) {
Make this "if (v == ULONG_MAX || v== 0)" instead?
This would result in the same err on a new and an old hypervisor
(assuming we switch the hypervisor to init params with ~0UL).
> + err = -ENOENT;
> + goto out_error;
> + }
> + /*
> + * ULONG_MAX is invalid on 64-bit because is INVALID_PFN.
> + * On 32-bit return error to avoid truncation.
> + */
> + if (v >= ULONG_MAX) {
> + err = -EINVAL;
> + goto out_error;
> + }
Does it make sense to continue the system running in case of
truncation? This would be a 32-bit guest with more than 16TB of RAM
and the Xen tools decided to place the Xenstore ring page above the
16TB boundary. This is a completely insane scenario IMO.
A proper panic() in this case would make diagnosis of that much
easier (me having doubts that this will ever be hit, though).
Juergen
Download attachment "OpenPGP_0xB0DE9DD628BF132F.asc" of type "application/pgp-keys" (3092 bytes)
Download attachment "OpenPGP_signature" of type "application/pgp-signature" (496 bytes)
Powered by blists - more mailing lists