| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <799aea46-80de-972a-571a-b0d946178f4b@suse.com>
Date: Tue, 23 Nov 2021 09:20:00 +0100
From: Jan Beulich <jbeulich@...e.com>
To: Juergen Gross <jgross@...e.com>,
Stefano Stabellini <sstabellini@...nel.org>
Cc: boris.ostrovsky@...cle.com, xen-devel@...ts.xenproject.org,
linux-kernel@...r.kernel.org,
Stefano Stabellini <stefano.stabellini@...inx.com>,
stable@...r.kernel.org
Subject: Re: [PATCH v3] xen: detect uninitialized xenbus in xenbus_init
On 23.11.2021 06:42, Juergen Gross wrote:
> On 22.11.21 23:16, Stefano Stabellini wrote:
>> From: Stefano Stabellini <stefano.stabellini@...inx.com>
>>
>> If the xenstore page hasn't been allocated properly, reading the value
>> of the related hvm_param (HVM_PARAM_STORE_PFN) won't actually return
>> error. Instead, it will succeed and return zero. Instead of attempting
>> to xen_remap a bad guest physical address, detect this condition and
>> return early.
>>
>> Note that although a guest physical address of zero for
>> HVM_PARAM_STORE_PFN is theoretically possible, it is not a good choice
>> and zero has never been validly used in that capacity.
>>
>> Also recognize the invalid value of INVALID_PFN which is ULLONG_MAX.
>>
>> For 32-bit Linux, any pfn above ULONG_MAX would get truncated. Pfns
>> above ULONG_MAX should never be passed by the Xen tools to HVM guests
>> anyway, so check for this condition and return early.
>>
>> Cc: stable@...r.kernel.org
>> Signed-off-by: Stefano Stabellini <stefano.stabellini@...inx.com>
>> ---
>> Changes in v3:
>> - improve in-code comment
>> - improve check
>>
>> Changes in v2:
>> - add check for ULLONG_MAX (unitialized)
>> - add check for ULONG_MAX #if BITS_PER_LONG == 32 (actual error)
>> - add pr_err error message
>> ---
>> drivers/xen/xenbus/xenbus_probe.c | 24 ++++++++++++++++++++++++
>> 1 file changed, 24 insertions(+)
>>
>> diff --git a/drivers/xen/xenbus/xenbus_probe.c b/drivers/xen/xenbus/xenbus_probe.c
>> index 94405bb3829e..d3ca57d48a73 100644
>> --- a/drivers/xen/xenbus/xenbus_probe.c
>> +++ b/drivers/xen/xenbus/xenbus_probe.c
>> @@ -951,6 +951,30 @@ static int __init xenbus_init(void)
>> err = hvm_get_parameter(HVM_PARAM_STORE_PFN, &v);
>> if (err)
>> goto out_error;
>> + /*
>> + * Uninitialized hvm_params are zero and return no error.
>> + * Although it is theoretically possible to have
>> + * HVM_PARAM_STORE_PFN set to zero on purpose, in reality it is
>> + * not zero when valid. If zero, it means that Xenstore hasn't
>> + * been properly initialized. Instead of attempting to map a
>> + * wrong guest physical address return error.
>> + *
>> + * Also recognize the invalid value of INVALID_PFN which is
>> + * ULLONG_MAX.
>
> Adjust the comment, e.g. s/ULLONG_MAX/all bits set/ (in the commit
> message, too)?
I also don't think the reference to INVALID_PFN is appropriate here. Afaict
the two aren't the same on 32-bit. Plus I can't even find a constant named
this way in Linux'es include/.
>> + */
>> + if (!v || !(v + 1)) {
>
> For me "if (!v || !~v)" would be more readable, but I don't really feel
> strong here.
Oh, indeed.
Jan
Powered by blists - more mailing lists