From patchwork Fri Dec  9 15:44:45 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ian Jackson <Ian.Jackson@eu.citrix.com>
X-Patchwork-Id: 9468487
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7C85260586 for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri,  9 Dec 2016 15:47:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6F1DD28466
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri,  9 Dec 2016 15:47:43 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 636EE2862B; Fri,  9 Dec 2016 15:47:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1718828466
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Fri,  9 Dec 2016 15:47:43 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1cFNMG-0003Jm-R6; Fri, 09 Dec 2016 15:45:12 +0000
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=1440ad286=Ian.Jackson@citrix.com>)
	id 1cFNMF-0003IH-T9
	for xen-devel@lists.xensource.com; Fri, 09 Dec 2016 15:45:12 +0000
Received: from [85.158.137.68] by server-1.bemta-3.messagelabs.com id
	2A/5B-23231-781DA485; Fri, 09 Dec 2016 15:45:11 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDIsWRWlGSWpSXmKPExsXitHSDvW7bRa8
	Igwv7tCzuTXnP7sDosb1vF3sAYxRrZl5SfkUCa8adn0dZCtpFKj7vVW1gPCzQxcjJISHgLzHl
	1hlGCNtD4vrZE0wgNpuArkTTlr9sILaIgLLE8aYvrF2MXBzMAs+ZJLb1rAArEhaIkHjf84Udx
	GYRUJF4c3gRK4jNK+Ap8aZ1PRPEUDmJ88d/MoPYnAJeEjMX3QCrERKol/i8uAmolwPIVpOYuz
	4eolVQ4uTMJywgNrOAhMTBFy+YIcZYSnxb/5R5AiP/LCRls5CULWBkWsWoUZxaVJZapGtooZd
	UlJmeUZKbmJmja2hgrJebWlycmJ6ak5hUrJecn7uJERhq9QwMjDsYf5/2PMQoycGkJMpbzOQV
	IcSXlJ9SmZFYnBFfVJqTWnyIUYaDQ0mC9/15oJxgUWp6akVaZg4w6GHSEhw8SiK8YheA0rzFB
	Ym5xZnpEKlTjIpS4rwJIAkBkERGaR5cGyzSLjHKSgnzMjIwMAjxFKQW5WaWoMq/YhTnYFQS5l
	UEmcKTmVcCN/0V0GImoMXzbriDLC5JREhJNTBKZZ1bsEPML1T5ZKkyf0Kom2nzjpxIZsGgbxX
	Jv9tF/m76c+FSYu2noHq/OI1De6zZOdoleVzEdoeWPj13YsYCzpsNx7cvyH6bP/dQEs91IZuC
	PZ+rj+//eYjzZdAx2UtfROdl9jhJL+FLXH5pRWLCJe4PHg+eB5S0mlzoqFI9eOX+vVRHsUdKL
	MUZiYZazEXFiQCPlWaErwIAAA==
X-Env-Sender: prvs=1440ad286=Ian.Jackson@citrix.com
X-Msg-Ref: server-3.tower-31.messagelabs.com!1481298309!75348525!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.0.16; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 3143 invoked from network); 9 Dec 2016 15:45:10 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-3.tower-31.messagelabs.com with RC4-SHA encrypted SMTP;
	9 Dec 2016 15:45:10 -0000
X-IronPort-AV: E=Sophos;i="5.33,324,1477958400"; d="scan'208";a="402787250"
X-CrossPremisesHeadersFilteredBySendConnector: FTLPEX02AMS01.citrite.net
From: Ian Jackson <ian.jackson@eu.citrix.com>
To: <xen-devel@lists.xensource.com>
Date: Fri, 9 Dec 2016 15:44:45 +0000
Message-ID: <1481298289-13546-5-git-send-email-ian.jackson@eu.citrix.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1481298289-13546-1-git-send-email-ian.jackson@eu.citrix.com>
References: <22602.39819.815607.194639@mariner.uk.xensource.com>
	<1481298289-13546-1-git-send-email-ian.jackson@eu.citrix.com>
MIME-Version: 1.0
X-OrganizationHeadersPreserved: FTLPEX02AMS01.citrite.net
Cc: Stefano Stabellini <sstabellini@kernel.org>,
	Wei Liu <wei.liu2@citrix.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>, Tim Deegan <tim@xen.org>,
	Jan Beulich <JBeulich@suse.com>, Ian Jackson <Ian.Jackson@eu.citrix.com>
Subject: [Xen-devel] [PATCH 4/8] libelf: loop safety: Call
	elf_iter_ok_counted at every *mem*_unsafe
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

When we use elf_mem*_unsafe, we need to check that we are not doing
too much work.

Ensure that a call to elf_iter_ok_counted is near every call to
elf_mem*_unsafe.

(At one call site, just have a comment instead.)

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
---
 xen/common/libelf/libelf-dominfo.c | 1 +
 xen/common/libelf/libelf-loader.c  | 2 +-
 xen/common/libelf/libelf-tools.c   | 6 ++++--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c
index b139e32..87a47d9 100644
--- a/xen/common/libelf/libelf-dominfo.c
+++ b/xen/common/libelf/libelf-dominfo.c
@@ -498,6 +498,7 @@ elf_errorstatus elf_xen_parse(struct elf_binary *elf,
     unsigned total_note_count = 0;
 
     elf_memset_unchecked(parms, 0, sizeof(*parms));
+    elf_iter_ok_counted(elf, sizeof(*parms));
     parms->virt_base = UNSET_ADDR;
     parms->virt_entry = UNSET_ADDR;
     parms->virt_hypercall = UNSET_ADDR;
diff --git a/xen/common/libelf/libelf-loader.c b/xen/common/libelf/libelf-loader.c
index 68c9021..d5e51d3 100644
--- a/xen/common/libelf/libelf-loader.c
+++ b/xen/common/libelf/libelf-loader.c
@@ -46,7 +46,7 @@ elf_errorstatus elf_init(struct elf_binary *elf, const char *image_input, size_t
         return -1;
     }
 
-    elf_memset_unchecked(elf, 0, sizeof(*elf));
+    elf_memset_unchecked(elf, 0, sizeof(*elf)); /* loop safety: singleton */
     elf->image_base = image_input;
     elf->size = size;
     elf->ehdr = ELF_MAKE_HANDLE(elf_ehdr, (elf_ptrval)image_input);
diff --git a/xen/common/libelf/libelf-tools.c b/xen/common/libelf/libelf-tools.c
index 56dab63..ab83150 100644
--- a/xen/common/libelf/libelf-tools.c
+++ b/xen/common/libelf/libelf-tools.c
@@ -69,7 +69,8 @@ void elf_memcpy_safe(struct elf_binary *elf, elf_ptrval dst,
                      elf_ptrval src, size_t size)
 {
     if ( elf_access_ok(elf, dst, size) &&
-         elf_access_ok(elf, src, size) )
+         elf_access_ok(elf, src, size) &&
+         elf_iter_ok_counted(elf, size) )
     {
         /* use memmove because these checks do not prove that the
          * regions don't overlap and overlapping regions grant
@@ -80,7 +81,8 @@ void elf_memcpy_safe(struct elf_binary *elf, elf_ptrval dst,
 
 void elf_memset_safe(struct elf_binary *elf, elf_ptrval dst, int c, size_t size)
 {
-    if ( elf_access_ok(elf, dst, size) )
+    if ( elf_access_ok(elf, dst, size) &&
+         elf_iter_ok_counted(elf, size))
     {
         elf_memset_unchecked(ELF_UNSAFE_PTR(dst), c, size);
     }