[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 02/22] libxc: introduce xc_dom_seg_to_ptr_pages

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
Date: Mon, 10 Jun 2013 14:40:24 +0100
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>, "mattjd@xxxxxxxxx" <mattjd@xxxxxxxxx>, "security@xxxxxxx" <security@xxxxxxx>
Delivery-date: Mon, 10 Jun 2013 13:46:04 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Andrew Cooper writes ("Re: [PATCH 02/22] libxc: introduce 
xc_dom_seg_to_ptr_pages"):
> With a view to security, why does this change need to be present?
> 
> At the end of the v6 series, this new function has 1 caller from
> xc_dom_load_elf_kernel() and 5 callers of the original function.
> 
> >From looking at the semantics of the function, it either returns NULL,
> or maps all requested pages (xc_dom_seg size rounded up to the nearest page)
> 
> With that in mind, xc_dom_load_elf_kernel() can calculate elf->dest_size
> given a successful mapping from xc_dom_seg_to_ptr(), without needing
> this _pages() variant.

This avoids duplicating the calculation of the number of pages
allocated.  Duplication of logic is of course in general a bad idea.

In this specific case there would be a risk that an error in one of
the functions (or perhaps future changes) would result in a difference
between the two calculations, which (if the error is in the
unfortunate direction) would result in a security problem.

In general I think it is best to always carry the pointer and length
together so for an allocation/access function of this kind to return
both the pointer and length.

Or to put it another way: doing it this way makes it easier to see
that the resulting code is correct.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 02/22] libxc: introduce xc_dom_seg_to_ptr_pages
  - From: Andrew Cooper

References:
- [Xen-devel] [PATCH v6 00/22] XSA55 libelf fixes for unstable
  - From: Ian Jackson
- [Xen-devel] [PATCH 02/22] libxc: introduce xc_dom_seg_to_ptr_pages
  - From: Ian Jackson
- Re: [Xen-devel] [PATCH 02/22] libxc: introduce xc_dom_seg_to_ptr_pages
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [XenARM] Linking errors of Mini-OS for ARM32
Next by Date: Re: [Xen-devel] [PATCH 1/2 v4] iommu/amd: Fix logic for clearing the IOMMU interrupt bits
Previous by thread: Re: [Xen-devel] [PATCH 02/22] libxc: introduce xc_dom_seg_to_ptr_pages
Next by thread: Re: [Xen-devel] [PATCH 02/22] libxc: introduce xc_dom_seg_to_ptr_pages
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.