From: Julien Grall <julien.grall@linaro.org>
To: Jan Beulich <JBeulich@suse.com>
Cc: Keir Fraser <keir@xen.org>,
ian.campbell@citrix.com, tim@xen.org,
Ian Jackson <ian.jackson@eu.citrix.com>,
stefano.stabellini@citrix.com, xen-devel@lists.xenproject.org,
Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest
Date: Tue, 17 Jun 2014 10:23:15 +0100 [thread overview]
Message-ID: <53A00903.2060904@linaro.org> (raw)
In-Reply-To: <53A023E7020000780001AE8B@mail.emea.novell.com>
On 17/06/14 10:17, Jan Beulich wrote:
>>>> On 17.06.14 at 11:09, <julien.grall@linaro.org> wrote:
>> On 17/06/14 09:01, Jan Beulich wrote:
>>>>>> On 16.06.14 at 18:17, <julien.grall@linaro.org> wrote:
>>>> +
>>>> + /* Add an extra +1 to append \0. We can't assume the guest will
>>>> + * provide a valid string */
>>>
>>> Now this is the case for flask, but for a generic string copying
>>> routine I don't think this is desirable. It seems especially wrong to
>>> aid the guest with putting a NUL where none was. If you really
>>> want this, I guess you would be better off adding two variants:
>>> One which demands the string to be NUL-terminated (in which
>>> case passing in a size is sort of bogus), and one which takes a
>>> size and inserts a NUL.
>>
>> A malicious guest could pass a big buffer without a NUL-terminated. If
>> we don't limit the size and check the NUL-terminated character the guest
>> could respectively exhaust Xen memory and exploit it.
>>
>> Therefore we can't rely on the guest to provide a valid string. This
>> solution will avoid to check in every caller that the string is
>> correctly terminated.
>
> You seem to imply that by not passing in a size I also meant not
> passing in a maximum size - I didn't say that, though. You absolutely
> have to limit the string length for security reasons, but it's clearly a
> difference whether you silently NUL-terminate the value after the
> maximum number of characters, or return with an error.
I didn't understand in this way your previous mail. Thank you for the
explanation.
It looks like for my use case it's better to throw an error if we don't
have enough place. It would help us if one day the path start to be very
long.
I'm wondering if we can also make this change for flask... Daniel, any
though?
Regards,
--
Julien Grall
next prev parent reply other threads:[~2014-06-17 9:23 UTC|newest]
Thread overview: 122+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-16 16:17 [RFC 00/19] xe/arm: Add support for non-pci passthrough Julien Grall
2014-06-16 16:17 ` [RFC 01/19] xen/arm: guest_physmap_remove_page: Print a warning if we fail to unmap the page Julien Grall
2014-06-18 15:03 ` Stefano Stabellini
2014-07-03 10:52 ` Ian Campbell
2014-07-03 11:17 ` Julien Grall
2014-06-16 16:17 ` [RFC 02/19] xen: guestcopy: Provide an helper to copy string from guest Julien Grall
2014-06-17 8:01 ` Jan Beulich
2014-06-17 9:09 ` Julien Grall
2014-06-17 9:17 ` Jan Beulich
2014-06-17 9:23 ` Julien Grall [this message]
2014-06-17 22:43 ` Daniel De Graaf
2014-06-18 11:59 ` Jan Beulich
2014-06-18 12:22 ` Julien Grall
2014-06-18 12:49 ` Jan Beulich
2014-06-18 12:53 ` Julien Grall
2014-06-18 13:01 ` Jan Beulich
2014-06-24 14:58 ` Julien Grall
2014-06-16 16:17 ` [RFC 03/19] xen/arm: follow-up to allow DOM0 manage IRQ and MMIO Julien Grall
2014-06-18 20:21 ` Stefano Stabellini
2014-06-18 20:32 ` Julien Grall
2014-07-03 11:02 ` Ian Campbell
2014-07-03 11:23 ` Julien Grall
2014-07-03 12:12 ` Ian Campbell
2014-06-16 16:17 ` [RFC 04/19] xen/arm: route_irq_to_guest: Check validity of the IRQ Julien Grall
2014-06-18 18:52 ` Stefano Stabellini
2014-06-18 19:03 ` Julien Grall
2014-07-03 11:04 ` Ian Campbell
2014-07-03 11:47 ` Julien Grall
2014-06-16 16:17 ` [RFC 05/19] xen/arm: Release IRQ routed to a domain when it's destroying Julien Grall
2014-06-18 18:08 ` Stefano Stabellini
2014-06-18 18:26 ` Julien Grall
2014-06-18 18:48 ` Stefano Stabellini
2014-06-18 18:54 ` Julien Grall
2014-06-18 19:06 ` Stefano Stabellini
2014-06-18 19:09 ` Julien Grall
2014-06-16 16:17 ` [RFC 06/19] xen/arm: Implement hypercall PHYSDEVOP_map_pirq Julien Grall
2014-06-18 19:24 ` Stefano Stabellini
2014-06-19 11:39 ` Julien Grall
2014-06-19 12:29 ` Stefano Stabellini
2014-07-03 11:27 ` Ian Campbell
2014-07-03 12:02 ` Julien Grall
2014-07-03 12:53 ` Ian Campbell
2014-07-15 13:01 ` Julien Grall
2014-07-15 13:03 ` Ian Campbell
2014-08-18 19:20 ` Andrii Tseglytskyi
2014-08-18 21:55 ` Julien Grall
2014-08-19 9:11 ` Andrii Tseglytskyi
2014-08-19 14:24 ` Julien Grall
2014-06-16 16:17 ` [RFC 07/19] xen/dts: Use unsigned int for MMIO and IRQ index Julien Grall
2014-06-18 18:54 ` Stefano Stabellini
2014-06-19 11:42 ` Julien Grall
2014-06-16 16:17 ` [RFC 08/19] xen/dts: Provide an helper to get a DT node from a path provided by a guest Julien Grall
2014-07-03 11:30 ` Ian Campbell
2014-07-03 11:49 ` Julien Grall
2014-07-03 12:13 ` Ian Campbell
2014-07-03 12:22 ` Julien Grall
2014-06-16 16:17 ` [RFC 09/19] xen/dts: Add hypercalls to retrieve device node information Julien Grall
2014-06-18 19:38 ` Stefano Stabellini
2014-06-19 11:58 ` Julien Grall
2014-06-19 12:21 ` Stefano Stabellini
2014-06-19 12:25 ` Julien Grall
2014-07-03 11:40 ` Ian Campbell
2014-06-24 8:46 ` Christoffer Dall
2014-07-03 11:34 ` Ian Campbell
2014-07-03 11:33 ` Ian Campbell
2014-07-03 11:51 ` Julien Grall
2014-07-03 12:13 ` Ian Campbell
2014-06-16 16:17 ` [RFC 10/19] xen/passthrough: Introduce iommu_buildup Julien Grall
2014-07-03 11:45 ` Ian Campbell
2014-07-03 11:55 ` Julien Grall
2014-06-16 16:17 ` [RFC 11/19] xen/passthrough: Call arch_iommu_domain_destroy before calling iommu_teardown Julien Grall
2014-06-17 8:07 ` Jan Beulich
2014-06-17 9:18 ` Julien Grall
2014-06-17 9:29 ` Jan Beulich
2014-06-17 12:38 ` Julien Grall
2014-06-17 13:04 ` Jan Beulich
2014-06-18 12:24 ` Julien Grall
2014-06-18 12:50 ` Jan Beulich
2014-06-16 16:17 ` [RFC 12/19] xen/passthrough: iommu_deassign_device_dt: By default reassign device to nobody Julien Grall
2014-06-18 19:28 ` Stefano Stabellini
2014-07-03 11:48 ` Ian Campbell
2014-07-03 12:07 ` Julien Grall
2014-07-03 12:53 ` Ian Campbell
2014-07-03 13:01 ` Julien Grall
2014-07-03 13:42 ` Ian Campbell
2014-07-03 13:51 ` Julien Grall
2014-07-03 14:04 ` Ian Campbell
2014-07-03 14:09 ` Julien Grall
2014-06-16 16:18 ` [RFC 13/19] xen/iommu: arm: Wire iommu DOMCTL for ARM Julien Grall
2014-06-17 8:24 ` Jan Beulich
2014-06-17 13:05 ` Julien Grall
2014-06-16 16:18 ` [RFC 14/19] xen/passthrough: dt: Add new domctl XEN_DOMCTL_assign_dt_device Julien Grall
2014-06-17 8:34 ` Jan Beulich
2014-06-17 13:23 ` Julien Grall
2014-06-17 13:30 ` Jan Beulich
2014-06-17 13:48 ` Julien Grall
2014-06-17 13:55 ` Jan Beulich
2014-07-03 11:54 ` Ian Campbell
2014-06-16 16:18 ` [RFC 15/19] xen/arm: Reserve region in guest memory for device passthrough Julien Grall
2014-06-18 15:12 ` Stefano Stabellini
2014-06-18 15:23 ` Julien Grall
2014-06-18 15:26 ` Ian Campbell
2014-06-18 17:48 ` Stefano Stabellini
2014-06-18 17:54 ` Julien Grall
2014-06-18 18:14 ` Stefano Stabellini
2014-06-18 18:33 ` Julien Grall
2014-06-18 18:55 ` Stefano Stabellini
2014-07-03 11:56 ` Ian Campbell
2014-06-16 16:18 ` [RFC 16/19] libxl/arm: Introduce DT_IRQ_TYPE_* Julien Grall
2014-07-03 11:56 ` Ian Campbell
2014-06-16 16:18 ` [RFC 17/19] libxl/arm: Rename set_interrupt_ppi to set_interrupt and handle SPIs Julien Grall
2014-07-03 11:58 ` Ian Campbell
2014-07-03 12:04 ` Julien Grall
2014-07-03 14:04 ` Ian Campbell
2014-06-16 16:18 ` [RFC 18/19] libxl: Add support for non-PCI passthrough Julien Grall
2014-06-16 17:19 ` Wei Liu
2014-06-18 12:26 ` Julien Grall
2014-06-16 16:18 ` [RFC 19/19] xl: Add new option dtdev Julien Grall
2014-06-16 17:19 ` Wei Liu
2014-06-18 13:40 ` Julien Grall
2014-06-18 13:43 ` Wei Liu
2014-06-18 13:46 ` Julien Grall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53A00903.2060904@linaro.org \
--to=julien.grall@linaro.org \
--cc=JBeulich@suse.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=keir@xen.org \
--cc=stefano.stabellini@citrix.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).