From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH v3 05/23] xsplice: Add helper elf routines
 (v4)
Date: Fri, 12 Feb 2016 20:52:34 +0000
Message-ID: <56BE4612.3000908@citrix.com>
References: <1455300361-13092-1-git-send-email-konrad.wilk@oracle.com>
	<1455300361-13092-6-git-send-email-konrad.wilk@oracle.com>
	<56BE3F79.5020607@citrix.com>
	<20160212204723.GC20694@char.us.oracle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <20160212204723.GC20694@char.us.oracle.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Keir Fraser <keir@xen.org>, Ian Campbell <ian.campbell@citrix.com>, jinsong.liu@alibaba-inc.com, Ian Jackson <ian.jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>, mpohlack@amazon.de, ross.lagerwall@citrix.com, Jan Beulich <jbeulich@suse.com>, xen-devel@lists.xenproject.org, xen-devel@lists.xen.org, sasha.levin@citrix.com
List-Id: xen-devel@lists.xenproject.org

On 12/02/16 20:47, Konrad Rzeszutek Wilk wrote:
>>> +struct xsplice_elf_sec *xsplice_elf_sec_by_name(const struct xsplice_elf *elf,
>>> +                                                const char *name)
>>> +{
>>> +    unsigned int i;
>>> +
>>> +    for ( i = 0; i < elf->hdr->e_shnum; i++ )
>>> +    {
>>> +        if ( !strcmp(name, elf->sec[i].name) )
>>> +            return &elf->sec[i];
>>> +    }
>>> +
>>> +    return NULL;
>>> +}
>>> +
>>> +static int elf_resolve_sections(struct xsplice_elf *elf, uint8_t *data)
>>> +{
>>> +    struct xsplice_elf_sec *sec;
>>> +    unsigned int i;
>>> +
>>> +    sec = xmalloc_array(struct xsplice_elf_sec, elf->hdr->e_shnum);
>> Presumably there will be some sanity checks done somewhere between the
>> hypercall and here?
> There are checks on it but not the value itself. As in the payload could
> have e_shnum be some astronomical value because of many .sections in the
> file (even the ones we do not use). We could combat that by having
> an whitelist of sections - and:
>  - If the payload has them return -EINVAL.
>  - If the payload has them - ignore them and continue on but instead of
>    using e_shnum use the counted value of the sections we expect?
>
> Preferences?

Anything more than a handful of sections is likely to be a bogus ELF
file.  I would put a hard limit (64 perhaps?).  If we fine a plausible
usecase for that many sections in a patch, we can revisit the logic.

We should bail in any situation where we find a value we don't like,
such as an unknown section.  As this is binary patching Xen, I would
prefer not to take any unnecessary risks.

~Andrew