From: Paolo Bonzini <pbonzini@redhat.com>
To: "Daniele Buono" <dbuono@linux.vnet.ibm.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [PATCH] meson: Stop if cfi is enabled with system slirp
Date: Fri, 5 Mar 2021 18:18:16 +0100 [thread overview]
Message-ID: <de675aaa-0cff-e953-58da-cb0a86daa984@redhat.com> (raw)
In-Reply-To: <19c10e57-b515-ae96-1924-54103d575a58@linux.vnet.ibm.com>
On 05/03/21 17:52, Daniele Buono wrote:
>> diff --git a/net/slirp.c b/net/slirp.c
>> index be914c0be0..82e05d2c01 100644
>> --- a/net/slirp.c
>> +++ b/net/slirp.c
>> @@ -174,23 +174,42 @@ static int64_t net_slirp_clock_get_ns(void *opaque)
>> return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
>> }
>>
>> +typedef struct SlirpTimer {
>> + QEMUTimer t;
>> + SlirpTimerCb cb;
>> + void *cb_opaque;
>> +} SlirpTimer;
>> +
>> +static void slirp_timer_cb(void *opaque)
>> +{
>> + SlirpTimer *st = opaque;
>> + st->cb(st->cb_opaque);
>> +}
>
> This call is still violating CFI (st->cb is a pointer in libslirp), but
> now that we have a specific callback for slirp, we can easily add a
> "QEMU_DISABLE_CFI" decorator to disable CFI only on `slirp_timer_cb`.
Ok, so let's go with your patch for now. Independently we could change
libslirp to:
- add a separate callback (timer_new_v2?) in SlirpCb. If it is set, we
use it and pass an enum instead of the SlirpTimerCb cb.
- add a function slirp_timer_expired(enum SlirpTimerId timer_id, void
*cb_opaque) that does the indirection but without passing around an
arbitrary function pointer.
In 6.1 we will update the internal libslirp to a version that supports
the new API, through a patch very similar to mine above. By requiring
that new version as the minimum supported one, enabling CFI will be
possible even with system slirp.
You can open a slirp merge request at
https://gitlab.freedesktop.org/slirp/libslirp.
> The problem is that an attack on the timer is as easy now as it was
> without CFI. You just have to change the timer entry to call
> slirp_timer_cb, and the opaque pointer to a SlirpTimer struct you
> created, anywhere in memory, with a pointer to your own function and
> your own parameters. The call to slirp_timer_cb is valid for CFI, while
> the call to st->cb is not checked anymore.
I understand better now the situation, thanks for taking the time to
explain it.
Paolo
next prev parent reply other threads:[~2021-03-05 18:15 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-04 2:59 [PATCH] meson: Stop if cfi is enabled with system slirp Daniele Buono
2021-03-04 10:37 ` Daniel P. Berrangé
2021-03-04 10:56 ` Paolo Bonzini
2021-03-05 16:52 ` Daniele Buono
2021-03-05 17:18 ` Paolo Bonzini [this message]
2021-03-08 15:05 ` Daniele Buono
2021-03-05 16:53 ` Daniele Buono
2021-03-08 11:19 ` Daniel P. Berrangé
2021-03-08 11:27 ` Paolo Bonzini
2021-03-08 14:58 ` Daniele Buono
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=de675aaa-0cff-e953-58da-cb0a86daa984@redhat.com \
--to=pbonzini@redhat.com \
--cc=berrange@redhat.com \
--cc=dbuono@linux.vnet.ibm.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.