From nobody Thu Apr 18 22:44:35 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org
ARC-Seal: i=1; a=rsa-sha256; t=1599802291; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jJpN0Ayemc9onDYTCjgMFPMspYaOGpQx4G6DgMbjop1GIpRB+Nyo1ZIcDLwCv1HPj4mDs7fS/pmDOS6LtPQiQzSFB/zjawALb3d9h2T8CQenzVOzL9Kb/KzpkwOywh+I4wAKsnpwRhL0OSDoeY/hcsagFb6Q1njB3L7BGuHchO0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1599802291;
 h=Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=tdzA/vgR3HNv816w1mko9RW/m1ShRkgr0TWH69P9oEw=;
	b=muy70e2Eux1d2JA+2HFZpvxY5eMBrtA2h0Kk/7urgAH/vZavc419K5jh9r30+1gGL2kzlfmMSf4VORGYIcCt5ekTMzEKwFCPv5KyrFUFHydStGGmIlwFRcOb8Jd++yeoQBi4Vbccm49Ml0K8294MgIi2QQiWwrgYDa9nO4o1Xo8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1599802291405138.56085213449;
 Thu, 10 Sep 2020 22:31:31 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1kGbe4-000857-NI; Fri, 11 Sep 2020 05:30:48 +0000
Received: from us1-rack-iad1.inumbo.com ([172.99.69.81])
 by lists.xenproject.org with esmtp (Exim 4.92)
 (envelope-from <SRS0=DvaW=CU=suse.com=jgross@srs-us1.protection.inumbo.net>)
 id 1kGbe3-000852-Kp
 for xen-devel@lists.xenproject.org; Fri, 11 Sep 2020 05:30:47 +0000
Received: from mx2.suse.de (unknown [195.135.220.15])
 by us1-rack-iad1.inumbo.com (Halon) with ESMTPS
 id 041637f0-069f-4110-9499-3c88b1aa74dd;
 Fri, 11 Sep 2020 05:30:46 +0000 (UTC)
Received: from relay2.suse.de (unknown [195.135.221.27])
 by mx2.suse.de (Postfix) with ESMTP id 40676B37D;
 Fri, 11 Sep 2020 05:31:01 +0000 (UTC)
X-Inumbo-ID: 041637f0-069f-4110-9499-3c88b1aa74dd
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
From: Juergen Gross <jgross@suse.com>
To: xen-devel@lists.xenproject.org
Cc: Juergen Gross <jgross@suse.com>,
 Andrew Cooper <andrew.cooper3@citrix.com>,
 George Dunlap <george.dunlap@citrix.com>, Ian Jackson <iwj@xenproject.org>,
 Jan Beulich <jbeulich@suse.com>, Julien Grall <julien@xen.org>,
 Stefano Stabellini <sstabellini@kernel.org>, Wei Liu <wl@xen.org>
Subject: [PATCH] xen/hypfs: fix writing of custom parameter
Date: Fri, 11 Sep 2020 07:30:43 +0200
Message-Id: <20200911053043.29445-1-jgross@suse.com>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-BeenThere: xen-devel@lists.xenproject.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
Content-Type: text/plain; charset="utf-8"

Today the maximum allowed data length for writing a hypfs node is
tested in the generic hypfs_write() function. For custom runtime
parameters this might be wrong, as the maximum allowed size is derived
from the buffer holding the current setting, while there might be ways
to set the parameter needing more characters than the minimal
representation of that value.

One example for this is the "ept" parameter. Its value buffer is sized
to be able to hold the string "exec-sp=3D0" or "exec-sp=3D1", while it is
allowed to use e.g. "no-exec-sp" or "exec-sp=3Dyes" for setting it.

Fix that by moving the length check one level down to the type
specific write function.

In order to avoid allocation of arbitrary sized buffers use a new
MAX_PARAM_SIZE macro as an upper limit for custom writes. The value
of MAX_PARAM_SIZE is the same as the limit in parse_params() for a
single parameter.

Fixes: 5b5ccafb0c42 ("xen: add basic hypervisor filesystem support")
Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
 xen/common/hypfs.c      | 11 +++++++----
 xen/common/kernel.c     |  2 +-
 xen/include/xen/param.h |  3 +++
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/xen/common/hypfs.c b/xen/common/hypfs.c
index b74c228191..8e932b5cf9 100644
--- a/xen/common/hypfs.c
+++ b/xen/common/hypfs.c
@@ -297,7 +297,9 @@ int hypfs_write_leaf(struct hypfs_entry_leaf *leaf,
     int ret;
=20
     ASSERT(this_cpu(hypfs_locked) =3D=3D hypfs_write_locked);
-    ASSERT(ulen <=3D leaf->e.max_size);
+
+    if ( ulen > leaf->e.max_size )
+        return -ENOSPC;
=20
     if ( leaf->e.type !=3D XEN_HYPFS_TYPE_STRING &&
          leaf->e.type !=3D XEN_HYPFS_TYPE_BLOB && ulen !=3D leaf->e.size )
@@ -356,6 +358,10 @@ int hypfs_write_custom(struct hypfs_entry_leaf *leaf,
=20
     ASSERT(this_cpu(hypfs_locked) =3D=3D hypfs_write_locked);
=20
+    /* Avoid oversized buffer allocation. */
+    if ( ulen > MAX_PARAM_SIZE )
+        return -ENOSPC;
+
     buf =3D xzalloc_array(char, ulen);
     if ( !buf )
         return -ENOMEM;
@@ -386,9 +392,6 @@ static int hypfs_write(struct hypfs_entry *entry,
=20
     ASSERT(entry->max_size);
=20
-    if ( ulen > entry->max_size )
-        return -ENOSPC;
-
     l =3D container_of(entry, struct hypfs_entry_leaf, e);
=20
     return entry->write(l, uaddr, ulen);
diff --git a/xen/common/kernel.c b/xen/common/kernel.c
index 9de07b7ac5..c3a943f077 100644
--- a/xen/common/kernel.c
+++ b/xen/common/kernel.c
@@ -57,7 +57,7 @@ static int assign_integer_param(const struct kernel_param=
 *param, uint64_t val)
 static int parse_params(const char *cmdline, const struct kernel_param *st=
art,
                         const struct kernel_param *end)
 {
-    char opt[128], *optval, *optkey, *q;
+    char opt[MAX_PARAM_SIZE], *optval, *optkey, *q;
     const char *p =3D cmdline, *key;
     const struct kernel_param *param;
     int rc, final_rc =3D 0;
diff --git a/xen/include/xen/param.h b/xen/include/xen/param.h
index f4be944248..d0409d3a0e 100644
--- a/xen/include/xen/param.h
+++ b/xen/include/xen/param.h
@@ -26,6 +26,9 @@ struct kernel_param {
     } par;
 };
=20
+/* Maximum length of a single parameter string. */
+#define MAX_PARAM_SIZE 128
+
 extern const struct kernel_param __setup_start[], __setup_end[];
=20
 #define __param(att)      static const att \
--=20
2.26.2