Xen project Mailing List

Re: [Xen-devel] [PATCH 8/8] libelf: safety: Document safety principles in header file

To: "Ian Jackson" <ian.jackson@xxxxxxxxxxxxx>

From: "Jan Beulich" <JBeulich@xxxxxxxx>

Date: Fri, 16 Dec 2016 05:31:38 -0700

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 16 Dec 2016 12:31:52 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

>>> On 16.12.16 at 12:43, <ian.jackson@xxxxxxxxxxxxx> wrote: > Jan Beulich writes ("Re: [PATCH 8/8] libelf: safety: Document safety > principles in header file"): >> On 09.12.16 at 16:44, <ian.jackson@xxxxxxxxxxxxx> wrote: >> > + * - Stack local buffer variables containing information derived from >> > + * the image (including structs, or byte buffers) must be >> > + * completely zeroed, using elf_memset_unchecked (and an >> > + * accompanying elf_iter_ok_counted) on entry to the function (or >> > + * somewhere very obviously near there). >> > + * >> > + * Rationale: This avoids uninitialised stack data being used >> > + * as input to any of the loader. >> >> What distinguishes a "buffer variable" from a plain variable? I.e. >> where is the boundary here as to which ones need zeroing? > > The hazard is an undiscovered uninitialised variable. "Undiscovered" > meaning static analysis tools won't find it (eg Coverity will find > many if not most normal uninitialised variables). > > This is the biggest risk for variables which can be partially > initialised: ie, structs and arrays. It is more difficult to reason > about variables which can be partially initialised. I guess you meant "can't"? In any event the wording may want some clarification then. >> Also, >> I don't think zeroing is needed when a variable gets fully written >> over (like in a structure assignment). Do you perhaps want to >> limit the above to "directly derived from the image"? > > Structure assignment does not necessarily write over the whole > variable. It may leave the padding un-overwritten. Oh, true. >> > + * - Do not add code which is not necessary for libelf to function >> > + * with correct input, or to avoid being vulnerable to incorrect >> > + * input. Do not add additional functionally-unnecessary checks >> > + * for diagnosing problems with the image, or validating sanity of >> > + * the input ELF. > ... >> While I can understand your reasoning, I continue to think that >> libelf in a ELF loader, and hence should check certain things. The >> best example I currently know of are e_[ps]hentsize, which the >> code uses without checking the lower valid bound. > > You don't give a counterargument to my reasoning: > >> > + * Rationale: Redundant checks have almost zero benefit because >> > + * 1. we do not expect ELF-generating tools to generate invalid >> > + * ELFs so these checks' failure paths will very likely never >> > + * be executed anywhere, and 2. anyone debugging such a >> > + * hypothetical bad ELF will have a variety of tools available >> > + * which will do a much better job of analysing it. Well, because as said - I can understand it, given the perspective you take. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.