From: Ian Jackson <ian.jackson@eu.citrix.com>
To: xen-devel@lists.xensource.com
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>,
George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Tim Deegan <tim@xen.org>, Jan Beulich <JBeulich@suse.com>
Subject: [PATCH 0/8] libelf: safety enhancements
Date: Fri, 9 Dec 2016 15:44:41 +0000 [thread overview]
Message-ID: <1481298289-13546-1-git-send-email-ian.jackson@eu.citrix.com> (raw)
In-Reply-To: <22602.39819.815607.194639@mariner.uk.xensource.com>
We recently discovered two near-miss in libelf:
* The intended method for limiting the phdr loop iteration count was
not effective. But happily this turned not to be important because
the count field is only 16 bits.
* A recent commit accidentally introduced a division by zero
vulnerability.
Subsequent discussion revealed that the design principles underlying
libelf's safety were not widely understood - because they were not
documented.
Initially I tried dealing with the loop safety problem by auditing the
code and adding a suitable comment next to each loop, stating a proof
sketch of the loop's safety. I found that this quickly became
unworkable, because there are nested loops. These nested loops did
not have badly unreasonable upper bounds but the complexity of the
analysis was unsuitable for security-critical review.
An upper bound on the work done in loops in libelf is necessary
because libelf may be called by the toolstack in a context where it
would block other work. Specifically, libelf is called by libxl, and
libxl does all of its work within a single per-ctx lock. libxl's
callers are not supposed to be required to invoke libxl on multiple
ctxs or with multiple processes simultaneously, and in any case
we don't want to generate and leak stuck toolstack processes.
So, in this series, I propose:
* A new scheme for limiting the work done by libelf. We track it
explicitly, and check it on each iteration of every loop. (This
replaces a similar ad-hoc scheme used for copying image data.)
* Documentation which states the safety design principles for libelf,
and the coding rules which follow from those design principles.
After this series is done there are a few redundant loop safety
checks, from the previous approach:
* There are a number of ad-hoc limits on string sizes, certain table
sizes, etc.
* There are calls to elf_access_ok which were intended to limit loop
iteration counts (but are ineffective at doing so since the stride
is controlled by the input image and might be zero).
I have chosen to retain these. Removing them seems like an
unnecessary risk. In particular, searching for and removing
certain elf_access_ok calls seems unwise.
Thanks,
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2016-12-09 15:44 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-08 14:18 [PATCH] libelf: Fix div0 issues in elf_{shdr, phdr}_count() Andrew Cooper
2016-12-08 14:41 ` Jan Beulich
2016-12-08 14:46 ` Andrew Cooper
2016-12-08 15:17 ` Jan Beulich
2016-12-08 15:23 ` Andrew Cooper
2016-12-08 15:47 ` Ian Jackson
2016-12-08 16:09 ` Jan Beulich
2016-12-08 17:28 ` Ian Jackson
2016-12-09 8:38 ` Jan Beulich
2016-12-09 11:54 ` Ian Jackson
2016-12-09 13:03 ` Jan Beulich
2016-12-09 15:44 ` Ian Jackson [this message]
2016-12-09 15:44 ` [PATCH 1/8] libelf: loop safety: Introduce elf_iter_ok and elf_strcmp_safe Ian Jackson
2016-12-12 15:02 ` Jan Beulich
2016-12-12 15:23 ` Ian Jackson
2016-12-12 15:15 ` Jan Beulich
2016-12-12 15:51 ` Jan Beulich
2016-12-12 16:00 ` Ian Jackson
2016-12-12 16:16 ` Jan Beulich
2016-12-12 16:56 ` Ian Jackson
2016-12-13 7:24 ` Jan Beulich
2016-12-13 16:04 ` Ian Jackson
2016-12-13 16:37 ` Jan Beulich
2016-12-09 15:44 ` [PATCH 2/8] libelf: loop safety: Pass `elf' to elf_xen_parse_features Ian Jackson
2016-12-12 15:03 ` Jan Beulich
2016-12-09 15:44 ` [PATCH 3/8] libelf: loop safety: Call elf_iter_ok[_counted] in every loop Ian Jackson
2016-12-12 15:12 ` Jan Beulich
2016-12-12 15:38 ` Ian Jackson
2016-12-12 15:56 ` Jan Beulich
2016-12-12 16:02 ` Ian Jackson
2016-12-09 15:44 ` [PATCH 4/8] libelf: loop safety: Call elf_iter_ok_counted at every *mem*_unsafe Ian Jackson
2016-12-12 15:19 ` Jan Beulich
2016-12-12 15:54 ` Ian Jackson
2016-12-12 15:58 ` Jan Beulich
2016-12-12 16:03 ` Ian Jackson
2016-12-09 15:44 ` [PATCH 5/8] libelf: loop safety: Replace all calls to strcmp Ian Jackson
2016-12-12 15:22 ` Jan Beulich
2016-12-12 15:44 ` Ian Jackson
2016-12-09 15:44 ` [PATCH 6/8] libelf: loop safety cleanup: Remove obsolete check in elf_shdr_count Ian Jackson
2016-12-12 15:41 ` Jan Beulich
2016-12-09 15:44 ` [PATCH 7/8] libelf: loop safety cleanup: Remove superseded image size copy check Ian Jackson
2016-12-12 16:26 ` Jan Beulich
2016-12-09 15:44 ` [PATCH 8/8] libelf: safety: Document safety principles in header file Ian Jackson
2016-12-15 16:43 ` Jan Beulich
2016-12-16 4:28 ` George Dunlap
2016-12-16 11:33 ` Ian Jackson
2016-12-16 11:58 ` Jan Beulich
2016-12-16 11:43 ` Ian Jackson
2016-12-16 12:31 ` Jan Beulich
2016-12-08 14:48 ` [PATCH] libelf: Fix div0 issues in elf_{shdr, phdr}_count() Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1481298289-13546-1-git-send-email-ian.jackson@eu.citrix.com \
--to=ian.jackson@eu.citrix.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=sstabellini@kernel.org \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).