[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 3/5] xen/version: Introduce non-truncating XENVER_* subops


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
  • Date: Mon, 16 Jan 2023 21:47:44 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=d1bDsOmjl8xN+I4QgWWPB1S7LLb3MDkQBMx+iuLiCV0=; b=biiUXJShUpFBoJWfoBhZxMdrCNvwrUd0QVdVhPqxXqESEFilvKXdP1RQVR/3O7en04TFYLmlU8VJztNMaQhZW3tl7+EfLluN+EvWSrcE0/z2guWbuGxmx44vKqUS0elggZDV/mzqudDyKi2ad9TDNGsJotB4QledIjitSIhlEPOXFtW4eTBuvkNUfqW74tshX/aKn9fWdYsfYjwCRkM9gi4TonSgqm55pk/pi2OoaEmyw1+lL2tPUGSYiS1NlYXvHWtBT3Kqj9Mk2e9bRCTB/rnKRdflYOd/hgfU7Eu8vhheDUU+Lyhw9f5hkr856NSpukUQLRUhHqyu7JP9cfbX1A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hY70pNa8g0kEy5qVRqSsS+n7OXaPnj6yBQNfUZ9XiES6ph7m+nYOqV3PiL6Hd6+7rOKrgwg/6Zir3B/EZj4U79UxCsQN+gMGYdqEDD8ekxyORElOZ97sINsGrBBAlqELFlBWmgyERyZbtceypi+evLzFJstFP2r5ifLe+y1DN1kiOCLQxldm5Pi31A5+jH+tRojfdN8Q7Vs8vbMHi2piskPOkECSbe7CaCmh/ARbG/f3NhtGCWVuOGiVgJ9xFxRQJRxkkSe4HYOIWVwKxbHGmzNp6xd9d3TQWO2ewJZolbXk8RT9c2omzz9FB3NoOlDU1rBswU0swdhqTBoWyvMiOQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: George Dunlap <George.Dunlap@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>, Daniel Smith <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Jason Andryuk <jandryuk@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 16 Jan 2023 21:48:08 +0000
  • Ironport-data: A9a23:6gfwta3ALkKcrozBD/bD5U5wkn2cJEfYwER7XKvMYLTBsI5bpzNTy WcdUT/TOveIY2ahc4t/aoXl8B8AsMXTnYNhGwRkpC1hF35El5HIVI+TRqvS04F+DeWYFR46s J9OAjXkBJppJpMJjk71atANlVEliefTAOK5ULSfUsxIbVcMYD87jh5+kPIOjIdtgNyoayuAo tq3qMDEULOf82cc3lk8tuTS93uDgNyo4GlD5gVnO6gR1LPjvyJ94Kw3dPnZw0TQGuG4LsbiL 87fwbew+H/u/htFIrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRrukoPD9IOaF8/ttm8t4sZJ OOhF3CHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqFvnrSFL/hGVSkL0YMkFulfO1hir swxDx43UUqvofzr/5CDFexqmZF2RCXrFNt3VnBI6xj8VK9jbbWdBqLA6JlfwSs6gd1IEbDGf c0FZDFzbRPGJRpSJlMQD5F4l+Ct7pX9W2QA9BTJ+uxqvC6Kk1AZPLvFabI5fvSjQ8lPk1nej WXB52njWTkRNcCFyCrD+XWp7gPKtXKhCdhPSeXlnhJsqHKymkFCARoRbmnhvuSirXaffd5NA nVBr0LCqoB3riRHVOLVXRe1vXqFtR40QMdLHqsx7wTl4rHP/w+TC2wATzhAQN8rrsk7QXotz FDht8ztLSxitvuSU3313rWJqTK/PwAFIGlEYjULJSMJ7NXur5s6pg7eRdZkVqiuh5v6Hi+Y6 zySty0/m7U7hNYGzbmm5kvAhy+wp5/PVUg+4QC/dmCs6A9jdZOmT4Ot4Fnfq/1HKe6xXlSH+ XQJhcWaxOQPFo2W0jyARv0XG7Ok7OrDNyfT6WODBLEk/jWpvnKmI4ZZ5WgnIF8za5lYPzj0f EXUpAVdoodJO2enZrN2ZIT3DNk2ya/nFpLuUfW8gsdyX6WdvTSvpElGDXN8FUi3+KTwucnT4 aumTPs=
  • Ironport-hdrordr: A9a23:z5rIOKDI75avPkPlHejpsceALOsnbusQ8zAXPiFKOGlom6mj/K 6TdZsgtSMc9wxhJE3I9ergBEDiewKuyXcK2/hyAV7KZmCP0ldAR7sSjrcKrQeQfhEX/YZmpN hdm8AVMrHN5TMRt6nHCMbTKbsd6ejCyYTtodr3i05qSwQCUdAT0++6YDzrbHGfgGN9dOoE/F /33Ls3m9PaQwVyUu2LQkMdWvTFpZnijYuOW29+OzcXrDOWiC+u6vrQDxic034lIk5y6IZny3 HBjwv6ooKqt/3T8G6660bjq65OncfnyJ9kGsuBkaEuW1PRozftXp1lR7qB+AoUjYiUmS4Xue iJmQ4kI8Nwr0ncZX64ujzk3wWI6kdU11bSjWWAhGflo4jHSCkhC8xH7LgpCCfk1w==
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHZJ6P9s5HCoeqlF020fKh7orvbwa6hOboAgABfUgA=
  • Thread-topic: [PATCH v2 3/5] xen/version: Introduce non-truncating XENVER_* subops

On 16/01/2023 4:06 pm, Jan Beulich wrote:
> On 14.01.2023 00:08, Andrew Cooper wrote:
>> @@ -470,6 +471,59 @@ static int __init cf_check param_init(void)
>>  __initcall(param_init);
>>  #endif
>>  
>> +static long xenver_varbuf_op(int cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
>> +{
>> +    struct xen_varbuf user_str;
>> +    const char *str = NULL;
> This takes away from the compiler any chance of reporting "str" as
> uninitialized

Yes...

It is also the classic false positive pattern in GCC 4.x which is still
supported despite attempts to retire it.

>> +    if ( sz > KB(64) ) /* Arbitrary limit.  Avoid long-running operations. 
>> */
>> +        return -E2BIG;
>> +
>> +    if ( guest_handle_is_null(arg) ) /* Length request */
>> +        return sz;
>> +
>> +    if ( copy_from_guest(&user_str, arg, 1) )
>> +        return -EFAULT;
>> +
>> +    if ( user_str.len == 0 )
>> +        return -EINVAL;
>> +
>> +    if ( sz > user_str.len )
>> +        return -ENOBUFS;
> The earlier of these last two checks makes it that one can't successfully
> call this function when the size query has returned 0.

This is actually a check that the build_id path already has.  I did
consider it somewhat dubious to special case 0 here, but it needs to
stay for the following patch to have no functional change.

>> --- a/xen/include/public/version.h
>> +++ b/xen/include/public/version.h
>> @@ -19,12 +19,20 @@
>>  /* arg == NULL; returns major:minor (16:16). */
>>  #define XENVER_version      0
>>  
>> -/* arg == xen_extraversion_t. */
>> +/*
>> + * arg == xen_extraversion_t.
>> + *
>> + * This API/ABI is broken.  Use XENVER_extraversion2 instead.
> Personally I don't like these "broken" that you're adding. These interfaces
> simply are the way they are, with certain limitations. We also won't be
> able to remove the old variants (except in the new ABI), so telling people
> to avoid them provides us about nothing.

Incorrect.

First, the breakage here isn't only truncation; it's char-signedness
with data that's not guaranteed to be ASCII text.  Yet another
demonstration of why C is an inappropriate way of defining an ABI.

Secondly, it is unreasonable for ABI errors and correction information
such as this not to be documented *somewhere*.  It should live with the
API technical reference, which happens to be exactly (and only) here.

These comments won't fix existing implementations.  What they will do is
cause anyone new implementing guests, or anyone who re-syncs the
headers, to notice and hopefully take mitigating action.

~Andrew

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.