From: Ian Campbell <ian.campbell@citrix.com>
To: Julien Grall <julien.grall@citrix.com>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: xen-devel@lists.xenproject.org, Keir Fraser <keir@xen.org>,
Ian Jackson <ian.jackson@eu.citrix.com>,
Jan Beulich <jbeulich@suse.com>, Tim Deegan <tim@xen.org>
Subject: Re: [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw
Date: Wed, 4 Nov 2015 14:29:10 +0000 [thread overview]
Message-ID: <1446647350.6461.89.camel@citrix.com> (raw)
In-Reply-To: <5639EEB6.6040908@citrix.com>
On Wed, 2015-11-04 at 11:40 +0000, Julien Grall wrote:
> > Not sure I follow. If hnd isn't a suitable struct xen guest handle then
> > other things will fail. If a user is passing a non struct
> > xen_guest_handle
> > to this which happens to contain the same fields then more fool them,
> > and
> > if it happens to be 8 bytes anyway your check won't catch that.
>
> With the 2 checks in set_xen_raw_guest_handle we catch most of the
> problem. They both ensure that the handle is 8-byte and the pointer is
> valid. However we don't check that the padding is at the beginning of
> the structure.
>
> It's better than what we have today as we don't even check that the
> handle is 8-byte.
I'm not sure I'm all that worried about callers constructing their own
guest handle structs and getting it wrong.
> [...]
>
> > > > This looses out on the arm32 hypervisor sanity checking that the
> > > > padding
> > > > bytes are 0 (as required by the ABI) but TBH I haven't checked that
> > > > the
> > > > current version has that property either.
> > >
> > > It's done during the assignation by the compiler:
> > >
> > > (hnd).q = (uint64_t)(uintptr_t)(val);
> >
> > I meant on the reading side.
>
> It's the responsibility of the caller to zero the padding. There is
> nothing to do on the reading side, the hypervisor will use "p" which
> will be the size of the natural pointer.
For a 32-bit Xen the check would be that a guest was not inadvertently
violating this rule, such a guest would crash if it was run on a 64-bit
hypervisor (which would see the non-zero padding as part of the pointer),
by rejecting such cases on 32-bit Xen we avoid such guests becoming
established and therefore presenting a case for us to relax this rule in
one way or another.
This is the same reason as check_multicall_32bit_clean() exists. multicall
is special only in that it was pretty easy to know where to add that check.
Ian.
next prev parent reply other threads:[~2015-11-04 14:29 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-30 18:13 [PATCH 0/4] xen/public: arm: rework set_xen_guest_handle_raw Julien Grall
2015-10-30 18:13 ` [PATCH 1/4] xen/public: arm: Clarify the name of guest handle structures Julien Grall
2015-11-02 15:14 ` Stefano Stabellini
2015-10-30 18:13 ` [PATCH 2/4] xen/public: arm: Rework __guest_handle_param* Julien Grall
2015-11-02 15:19 ` Stefano Stabellini
2015-11-02 15:24 ` Julien Grall
2015-11-02 15:35 ` Ian Campbell
2015-11-02 15:39 ` Julien Grall
2015-11-02 15:49 ` Ian Campbell
2015-10-30 18:13 ` [PATCH 3/4] xen/public: Don't expose XEN_GUEST_HANDLE_PARAM outside of the hypervisor Julien Grall
2015-11-02 13:45 ` Jan Beulich
2015-11-02 13:52 ` Stefano Stabellini
2015-10-30 18:13 ` [PATCH 4/4] xen/public: arm: rework the macro set_xen_guest_handle_raw Julien Grall
2015-11-02 15:55 ` Stefano Stabellini
2015-11-02 16:15 ` Jan Beulich
2015-11-03 12:35 ` Ian Campbell
2015-11-03 14:01 ` Julien Grall
2015-11-03 14:34 ` Ian Campbell
2015-11-04 11:17 ` Julien Grall
2015-11-04 11:27 ` Ian Campbell
2015-11-04 11:40 ` Julien Grall
2015-11-04 14:29 ` Ian Campbell [this message]
2015-11-04 14:42 ` Julien Grall
2015-11-04 14:54 ` Ian Campbell
2015-11-04 15:19 ` Stefano Stabellini
2015-11-04 15:20 ` Ian Jackson
2015-11-04 15:45 ` Ian Jackson
2015-11-04 15:26 ` Ian Campbell
2015-11-04 15:46 ` Ian Jackson
2015-11-04 16:04 ` Ian Campbell
2015-11-03 14:18 ` Stefano Stabellini
2015-11-03 15:25 ` Julien Grall
2015-11-04 16:22 ` Ian Jackson
2015-11-04 16:24 ` Ian Jackson
2015-11-04 16:39 ` Jan Beulich
2015-11-04 16:50 ` Ian Jackson
2015-11-04 16:59 ` Julien Grall
2015-11-04 17:05 ` Jan Beulich
2015-11-04 17:06 ` Ian Jackson
2015-11-05 8:37 ` Jan Beulich
2015-11-06 12:10 ` Ian Campbell
2015-11-02 13:42 ` [PATCH 0/4] xen/public: arm: rework set_xen_guest_handle_raw Jan Beulich
2015-11-02 13:45 ` Julien Grall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1446647350.6461.89.camel@citrix.com \
--to=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jbeulich@suse.com \
--cc=julien.grall@citrix.com \
--cc=keir@xen.org \
--cc=stefano.stabellini@eu.citrix.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.