Re: [Qemu-devel] [PATCH v5 3/6] Qemu-Xen-vTPM: Xen frontend driver infrastructure

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Stefan Berger <stefanb@linux.vnet.ibm.com>, Quan Xu <quan.xu@intel.com>
Cc: wei.liu2@citrix.com, stefano.stabellini@eu.citrix.com,
	qemu-devel@nongnu.org, xen-devel@lists.xen.org,
	aliguori@amazon.com, pbonzini@redhat.com
Subject: Re: [Qemu-devel] [PATCH v5 3/6] Qemu-Xen-vTPM: Xen frontend driver infrastructure
Date: Wed, 15 Apr 2015 11:07:04 -0400	[thread overview]
Message-ID: <552E7E98.3020206@tycho.nsa.gov> (raw)
In-Reply-To: <552E7950.7030806@linux.vnet.ibm.com>

On 04/15/2015 10:44 AM, Stefan Berger wrote:
> On 04/10/2015 02:59 AM, Quan Xu wrote:
>> This patch adds infrastructure for xen front drivers living in qemu,
>> so drivers don't need to implement common stuff on their own.  It's
>> mostly xenbus management stuff: some functions to access XenStore,
>> setting up XenStore watches, callbacks on device discovery and state
>> changes, and handle event channel between the virtual machines.
>>
[...]
>> +int vtpm_recv(struct XenDevice *xendev, uint8_t* buf, uint32_t buf_size,
>> +              size_t *count)
>> +{
>> +    struct xen_vtpm_dev *vtpmdev = container_of(xendev, struct xen_vtpm_dev,
>> +                                                xendev);
>> +    struct tpmif_shared_page *shr = vtpmdev->shr;
>> +    unsigned int offset;
>> +    size_t length = shr->length;
>> +
>> +    if (shr->state == TPMIF_STATE_IDLE) {
>> +        return -ECANCELED;
>> +    }
>> +
>> +    offset = sizeof(*shr) + sizeof(shr->extra_pages[0])*shr->nr_extra_pages;
>
> offset now points to where the TPM response starts, right?

Yes.

>> +    if (offset > buf_size) {
>
> You are comparing offset as if it was the size of the TPM response, but that's not what it is as far as I understand this.
>
> I would have thought that shr->length indicates the size of the TPM response that starts at offset.
> So then you should only have to ensure that shr->length <= buf_size and never copy more than buf_size bytes to buf.
>
> Similar comments to vtpm_send.

No, this check needs to remain (on both send and recv), but buf_size should
be replaced by PAGE_SIZE.  This prevents an incorrectly large value for
nr_extra_pages from causing the packet to be located outside of the shared
page, resulting in TPM packets being written to some random heap address.

>> +        return -EIO;
>> +    }
>> +
>> +    if (offset + length > buf_size) {
>> +        length = buf_size - offset;
>> +    }

This check also needs to be against PAGE_SIZE.

>> +
>> +    if (length > *count) {
>> +        length = *count;
>> +    }

Is *count even valid here?  I would have assumed it was a purely
out parameter, with buf_size as the maximum value it can be assigned.

>> +
>> +    memcpy(buf, offset + (uint8_t *)shr, shr->length);
>
> use length rather than shr->length otherwise length goes unused.

Agreed; the values from the shared page should not be read more than
once, because an uncooperative peer could end up changing them.

-- 
Daniel De Graaf
National Security Agency

next prev parent reply	other threads:[~2015-04-15 15:53 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-10  6:59 [Qemu-devel] [PATCH v5 0/6] QEMU:Xen stubdom vTPM for HVM virtual machine(QEMU patch) Quan Xu
2015-04-10  6:59 ` [Qemu-devel] [PATCH v5 1/6] Qemu-Xen-vTPM: Support for Xen stubdom vTPM command line options Quan Xu
2015-04-10 13:22   ` Eric Blake
2015-04-13  2:32     ` Xu, Quan
2015-04-10  6:59 ` [Qemu-devel] [PATCH v5 2/6] Qemu-Xen-vTPM: Xen frontend driver infrastructure Quan Xu
2015-04-10  6:59 ` [Qemu-devel] [PATCH v5 3/6] " Quan Xu
2015-04-15 14:44   ` Stefan Berger
2015-04-15 15:07     ` Daniel De Graaf [this message]
2015-04-16  1:03       ` Xu, Quan
2015-04-10  6:59 ` [Qemu-devel] [PATCH v5 4/6] Qemu-Xen-vTPM: Qemu vTPM xenstubdoms backen Quan Xu
2015-04-15 14:50   ` Stefan Berger
2015-04-16  1:07     ` Xu, Quan
2015-04-10  6:59 ` [Qemu-devel] [PATCH v5 5/6] Qemu-Xen-vTPM: QEMU machine class is initialized before tpm_init() Quan Xu
2015-04-10  6:59 ` [Qemu-devel] [PATCH v5 6/6] Qemu-Xen-vTPM: Add a parameter indicating whether the command that was a selftest Quan Xu
2015-04-12 20:50   ` Stefan Berger
2015-04-13  2:15     ` Xu, Quan
2015-04-15 14:56       ` Stefan Berger
2015-04-16  1:04         ` Xu, Quan
2015-04-13 22:35     ` Stefan Berger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=552E7E98.3020206@tycho.nsa.gov \
    --to=dgdegra@tycho.nsa.gov \
    --cc=aliguori@amazon.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=quan.xu@intel.com \
    --cc=stefanb@linux.vnet.ibm.com \
    --cc=stefano.stabellini@eu.citrix.com \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).