[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest

To: "Julien Grall" <julien.grall@xxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Tue, 17 Jun 2014 10:17:59 +0100
Cc: Keir Fraser <keir@xxxxxxx>, ian.campbell@xxxxxxxxxx, tim@xxxxxxx, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, stefano.stabellini@xxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Delivery-date: Tue, 17 Jun 2014 09:18:16 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 17.06.14 at 11:09, <julien.grall@xxxxxxxxxx> wrote:
> On 17/06/14 09:01, Jan Beulich wrote:
>>>>> On 16.06.14 at 18:17, <julien.grall@xxxxxxxxxx> wrote:
>>> +
>>> +    /* Add an extra +1 to append \0. We can't assume the guest will
>>> +     * provide a valid string */
>>
>> Now this is the case for flask, but for a generic string copying
>> routine I don't think this is desirable. It seems especially wrong to
>> aid the guest with putting a NUL where none was. If you really
>> want this, I guess you would be better off adding two variants:
>> One which demands the string to be NUL-terminated (in which
>> case passing in a size is sort of bogus), and one which takes a
>> size and inserts a NUL.
> 
> A malicious guest could pass a big buffer without a NUL-terminated. If 
> we don't limit the size and check the NUL-terminated character the guest 
> could respectively exhaust Xen memory and exploit it.
> 
> Therefore we can't rely on the guest to provide a valid string. This 
> solution will avoid to check in every caller that the string is 
> correctly terminated.

You seem to imply that by not passing in a size I also meant not
passing in a maximum size - I didn't say that, though. You absolutely
have to limit the string length for security reasons, but it's clearly a
difference whether you silently NUL-terminate the value after the
maximum number of characters, or return with an error.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
  - From: Julien Grall

References:
- Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
  - From: Jan Beulich
- Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
  - From: Julien Grall

Prev by Date: Re: [Xen-devel] [PATCH] libxl: properly set default of discard_enable
Next by Date: Re: [Xen-devel] [RFC 11/19] xen/passthrough: Call arch_iommu_domain_destroy before calling iommu_teardown
Previous by thread: Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
Next by thread: Re: [Xen-devel] [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.