[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH for-4.19] avoid UB in guest handle arithmetic

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: "Oleksii K." <oleksii.kurochko@xxxxxxxxx>
Date: Wed, 19 Jun 2024 09:05:45 +0200
Cc: George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Wed, 19 Jun 2024 07:05:52 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, 2024-06-18 at 14:24 +0100, Andrew Cooper wrote:
> On 19/03/2024 1:26 pm, Jan Beulich wrote:
> > At least XENMEM_memory_exchange can have huge values passed in the
> > nr_extents and nr_exchanged fields. Adding such values to pointers
> > can
> > overflow, resulting in UB. Cast respective pointers to "unsigned
> > long"
> > while at the same time making the necessary multiplication
> > explicit.
> > Remaining arithmetic is, despite there possibly being mathematical
> > overflow, okay as per the C99 spec: "A computation involving
> > unsigned
> > operands can never overflow, because a result that cannot be
> > represented
> > by the resulting unsigned integer type is reduced modulo the number
> > that
> > is one greater than the largest value that can be represented by
> > the
> > resulting type." The overflow that we need to guard against is
> > checked
> > for in array_access_ok().
> > 
> > Note that in / down from array_access_ok() the address value is
> > only
> > ever cast to "unsigned long" anyway, which is why in the invocation
> > from
> > guest_handle_subrange_okay() the value doesn't need casting back to
> > pointer type.
> > 
> > In compat grant table code change two guest_handle_add_offset() to
> > avoid
> > passing in negative offsets.
> > 
> > Since {,__}clear_guest_offset() need touching anyway, also deal
> > with
> > another (latent) issue there: They were losing the handle type,
> > i.e. the
> > size of the individual objects accessed. Luckily the few users we
> > presently have all pass char or uint8 handles.
> > 
> > Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> 
> There wants to be a xen: prefix in the subject.
> 
> But as for the UB aspect, I've checked that this does resolve the
> failure identified by the XSA-212 XTF test.
> 
> Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> Tested-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> 
> CC'ing Oleksii as this wants to go into 4.19.
Release-Acked-By: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>

~ Oleksii

References:
- Re: [PATCH for-4.19] avoid UB in guest handle arithmetic
  - From: Andrew Cooper

Prev by Date: Re: [XEN PATCH v10 1/5] xen/vpci: Clear all vpci status of device
Next by Date: Re: [PATCH v3 3/3] x86/irq: forward pending interrupts to new destination in fixup_irqs()
Previous by thread: Re: [PATCH for-4.19] avoid UB in guest handle arithmetic
Next by thread: [libvirt test] 186390: tolerable all pass - PUSHED
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.