From nobody Sun Dec 22 01:47:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass(p=reject dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1727346135; cv=none; d=zohomail.com; s=zohoarc; b=htWAw6mlPTY0cAgrCWdmxP/8Gzsl9fKKfu0BR7S1sUal9XJYNK5ydAb1Fm65fuXE8Vk7VFqmHN+v6IckHNjNupmKw8apMRcHSfrTZ3QS90W7EYoPj1vZqJqoMFRNmJ5tl/dJkhHR4bMKajvegz+kH4xYhpvXXJKNArsrW3WWjlQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1727346135; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=TMV7sv85uJEHqRmzmClkVSBMQ6SQAz9qB3gfIkmcOdA=; b=Jrhw9GRC77Sd0q7nXFw8bg1RltKW5GsyTdw47T08rJ3WCzyISqVo1T3fTkW7ctIRATGmqziiNAmTV9RILQ8wawuXFs1YsLUOB00/DE5AjqOR1EUCVU4DSfdQgibjzGjiqo9kMB/fCdEeBfYxAGN3YUUw5RDSOCDUNWEOR580spY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1727346135040291.2584785901498; Thu, 26 Sep 2024 03:22:15 -0700 (PDT) Received: from list by lists.xenproject.org with outflank-mailman.805203.1216267 (Exim 4.92) (envelope-from ) id 1stld9-0001uY-9x; Thu, 26 Sep 2024 10:21:51 +0000 Received: by outflank-mailman (output) from mailman id 805203.1216267; Thu, 26 Sep 2024 10:21:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stld9-0001uP-6D; Thu, 26 Sep 2024 10:21:51 +0000 Received: by outflank-mailman (input) for mailman id 805203; Thu, 26 Sep 2024 10:21:49 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stld7-0001Nm-2H for xen-devel@lists.xenproject.org; Thu, 26 Sep 2024 10:21:49 +0000 Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [2a00:1450:4864:20::633]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 22c8ae8b-7bf1-11ef-99a2-01e77a169b0f; Thu, 26 Sep 2024 12:21:47 +0200 (CEST) Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-a8d446adf6eso112691666b.2 for ; Thu, 26 Sep 2024 03:21:47 -0700 (PDT) Received: from localhost ([213.195.124.163]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9392f5489dsm330891566b.75.2024.09.26.03.21.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Sep 2024 03:21:46 -0700 (PDT) X-Outflank-Mailman: Message body and most headers restored to incoming version X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 22c8ae8b-7bf1-11ef-99a2-01e77a169b0f DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1727346106; x=1727950906; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TMV7sv85uJEHqRmzmClkVSBMQ6SQAz9qB3gfIkmcOdA=; b=YiE2Vp+U4LIJ78Og8lxnsu5Ip/qLjeKL171zoiSiAXacv5qvhlbSjuk+p9O1ISuyXD Ni504QrodzNYYKcy1Yb3mILdH+axCkrlB63UJewr8mNWf885JWnl9KQfixoi0iztyBtu 02NUaxqbG/spobpcUeZaARNVa1U6gdNEbSMts= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727346106; x=1727950906; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TMV7sv85uJEHqRmzmClkVSBMQ6SQAz9qB3gfIkmcOdA=; b=Edus3jaqjIKCMHhATbc0R4wCAGzJQqdiFB4EvwBZmoZLfSZc7lpi/b810pBOPidkPb anBJIq1LT4lgPE8p994+2r078m1a9V4gNygOPJ8QzDV8tCSYPH9dxG0DBsf9UZWSKH+C Xqo6Cc3bIWKG/QIoIvWYvx1NU/RYdDDDae7BNhyXDIPmD0pk2Lqb168gzWRbizcc7yMF vIGy0jHtvNf968gLQ5FBegFaV9YwshEouVs2QFIDhzQJzGo/17Mj8VlkSGogE1546eQl 1Y3JmtWvwj4bGLV8rSXBJj43+K5DnH4vdFW/IkagsRDMjkiMG0iOM8vW9AXb2DWLzZcn vefg== X-Gm-Message-State: AOJu0YwgIGOpqcWrEBuTlgJ0DaU3ZepeY7kxPubVjT24nwDEeQSmBvqX qza9ktITSQeHccRsvY+ebBpDIZ9kspH4L0dAwrhaqCFLBnQg1jCJO6Wcz6y8e/WiHF2JZwlpcbt d X-Google-Smtp-Source: AGHT+IGdLpUWffGqwTkOPLSM37brc+qOUsph25Y3A0BhmHbiDsclnm68sZ/sRfzvWI6JtjzVFsE27g== X-Received: by 2002:a17:907:ea8:b0:a8a:9246:7f57 with SMTP id a640c23a62f3a-a93a0341a1cmr582888466b.4.1727346106447; Thu, 26 Sep 2024 03:21:46 -0700 (PDT) From: Roger Pau Monne To: xen-devel@lists.xenproject.org Cc: Roger Pau Monne , Ross Lagerwall Subject: [PATCH v3 3/5] xen/livepatch: do Xen build-id check earlier Date: Thu, 26 Sep 2024 12:14:29 +0200 Message-ID: <20240926101431.97444-4-roger.pau@citrix.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240926101431.97444-1-roger.pau@citrix.com> References: <20240926101431.97444-1-roger.pau@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @citrix.com) X-ZM-MESSAGEID: 1727346135698116600 The check against the expected Xen build ID should be done ahead of attempt= ing to apply the alternatives contained in the livepatch. If the CPUID in the alternatives patching data is out of the scope of the running Xen featureset the BUG() in _apply_alternatives() will trigger thus bringing the system down. Note the layout of struct alt_instr could also change between versions. It's also possible for struct exception_table_ent= ry to have changed format, hence leading to other kind of errors if parsing of= the payload is done ahead of checking if the Xen build-id matches. Move the Xen build ID check as early as possible. To do so introduce a new check_xen_buildid() function that parses and checks the Xen build-id before moving the payload. Since the expected Xen build-id is used early to detect whether the livepatch payload could be loaded, there's no reason to store it in the payload struct, as a non-matching Xen build-id won't get the payload populated in the first place. Note printing the expected Xen build ID has part of dumping the payload information is no longer done: all loaded payloads would have Xen build IDs matching the running Xen, otherwise they would have failed to load. Fixes: 879615f5db1d ('livepatch: Always check hypervisor build ID upon live= patch upload') Signed-off-by: Roger Pau Monn=C3=A9 Reviewed-by: Andrew Cooper Reviewed-by: Ross Lagerwall --- Changes since v2: - Move contents of xen_build_id_dep() into check_xen_buildid(). Changes since v1: - Do the Xen build-id check even earlier. --- xen/common/livepatch.c | 86 +++++++++++++++++------------ xen/include/xen/livepatch_payload.h | 1 - 2 files changed, 50 insertions(+), 37 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 50e2268e19a3..f7db4be96e66 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -448,28 +448,6 @@ static bool section_ok(const struct livepatch_elf *elf, return true; } =20 -static int xen_build_id_dep(const struct payload *payload) -{ - const void *id =3D NULL; - unsigned int len =3D 0; - int rc; - - ASSERT(payload->xen_dep.len); - ASSERT(payload->xen_dep.p); - - rc =3D xen_build_id(&id, &len); - if ( rc ) - return rc; - - if ( payload->xen_dep.len !=3D len || memcmp(id, payload->xen_dep.p, l= en) ) { - printk(XENLOG_ERR LIVEPATCH "%s: check against hypervisor build-id= failed\n", - payload->name); - return -EINVAL; - } - - return 0; -} - /* Parses build-id sections into the given destination. */ static int parse_buildid(const struct livepatch_elf_sec *sec, struct livepatch_build_id *id) @@ -495,11 +473,56 @@ static int parse_buildid(const struct livepatch_elf_s= ec *sec, return 0; } =20 +static int check_xen_buildid(const struct livepatch_elf *elf) +{ + const void *id; + unsigned int len; + struct livepatch_build_id lp_id; + const struct livepatch_elf_sec *sec =3D + livepatch_elf_sec_by_name(elf, ELF_LIVEPATCH_XEN_DEPENDS); + int rc; + + if ( !sec ) + { + printk(XENLOG_ERR LIVEPATCH "%s: section %s is missing\n", + elf->name, ELF_LIVEPATCH_XEN_DEPENDS); + return -EINVAL; + } + + rc =3D parse_buildid(sec, &lp_id); + if ( rc ) + { + printk(XENLOG_ERR LIVEPATCH + "%s: failed to parse section %s as build-id: %d\n", + elf->name, ELF_LIVEPATCH_XEN_DEPENDS, rc); + return -EINVAL; + } + + rc =3D xen_build_id(&id, &len); + if ( rc ) + { + printk(XENLOG_ERR LIVEPATCH + "%s: unable to get running Xen build-id: %d\n", + elf->name, rc); + return rc; + } + + if ( lp_id.len !=3D len || memcmp(id, lp_id.p, len) ) + { + printk(XENLOG_ERR LIVEPATCH "%s: build-id mismatch:\n" + "=C2=A0 livepatch: %*phN\n" + "=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 xen: %*phN\n", + elf->name, lp_id.len, lp_id.p, len, id); + return -EINVAL; + } + + return 0; +} + static int check_special_sections(const struct livepatch_elf *elf) { unsigned int i; static const char *const names[] =3D { ELF_LIVEPATCH_DEPENDS, - ELF_LIVEPATCH_XEN_DEPENDS, ELF_BUILD_ID_NOTE}; =20 for ( i =3D 0; i < ARRAY_SIZE(names); i++ ) @@ -755,12 +778,6 @@ static int prepare_payload(struct payload *payload, if ( rc ) return rc; =20 - rc =3D parse_buildid(livepatch_elf_sec_by_name(elf, - ELF_LIVEPATCH_XEN_DEPENDS= ), - &payload->xen_dep); - if ( rc ) - return rc; - /* Setup the virtual region with proper data. */ region =3D &payload->region; =20 @@ -1069,6 +1086,10 @@ static int load_payload_data(struct payload *payload= , void *raw, size_t len) if ( rc ) goto out; =20 + rc =3D check_xen_buildid(&elf); + if ( rc ) + goto out; + rc =3D move_payload(payload, &elf); if ( rc ) goto out; @@ -1093,10 +1114,6 @@ static int load_payload_data(struct payload *payload= , void *raw, size_t len) if ( rc ) goto out; =20 - rc =3D xen_build_id_dep(payload); - if ( rc ) - goto out; - rc =3D build_symbol_table(payload, &elf); if ( rc ) goto out; @@ -2199,9 +2216,6 @@ static void cf_check livepatch_printall(unsigned char= key) =20 if ( data->dep.len ) printk("depend-on=3D%*phN\n", data->dep.len, data->dep.p); - - if ( data->xen_dep.len ) - printk("depend-on-xen=3D%*phN\n", data->xen_dep.len, data->xen= _dep.p); } =20 spin_unlock(&payload_lock); diff --git a/xen/include/xen/livepatch_payload.h b/xen/include/xen/livepatc= h_payload.h index 472d6a4a63c1..c6dc7cb5fa21 100644 --- a/xen/include/xen/livepatch_payload.h +++ b/xen/include/xen/livepatch_payload.h @@ -62,7 +62,6 @@ struct payload { unsigned int nsyms; /* Nr of entries in .strtab and s= ymbols. */ struct livepatch_build_id id; /* ELFNOTE_DESC(.note.gnu.build-i= d) of the payload. */ struct livepatch_build_id dep; /* ELFNOTE_DESC(.livepatch.depend= s). */ - struct livepatch_build_id xen_dep; /* ELFNOTE_DESC(.livepatch.xen_de= pends). */ livepatch_loadcall_t *const *load_funcs; /* The array of funcs to ca= ll after */ livepatch_unloadcall_t *const *unload_funcs;/* load and unload of the = payload. */ struct livepatch_hooks hooks; /* Pre and post hooks for apply a= nd revert */ --=20 2.46.0