From patchwork Wed Sep 25 08:42:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Roger_Pau_Monn=C3=A9?= X-Patchwork-Id: 13811790 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BE24FC369AC for ; Wed, 25 Sep 2024 08:43:18 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.803573.1214239 (Exim 4.92) (envelope-from ) id 1stNc4-0005cq-LZ; Wed, 25 Sep 2024 08:43:08 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 803573.1214239; Wed, 25 Sep 2024 08:43:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc4-0005ch-Fv; Wed, 25 Sep 2024 08:43:08 +0000 Received: by outflank-mailman (input) for mailman id 803573; Wed, 25 Sep 2024 08:43:06 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc2-0005NX-St for xen-devel@lists.xenproject.org; Wed, 25 Sep 2024 08:43:06 +0000 Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [2a00:1450:4864:20::52c]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 2e87d1c4-7b1a-11ef-99a2-01e77a169b0f; Wed, 25 Sep 2024 10:43:05 +0200 (CEST) Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-5c5b9d2195eso5114209a12.1 for ; Wed, 25 Sep 2024 01:43:05 -0700 (PDT) Received: from localhost ([213.195.124.163]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5c5cf4974a6sm1620662a12.39.2024.09.25.01.43.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Sep 2024 01:43:03 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2e87d1c4-7b1a-11ef-99a2-01e77a169b0f DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1727253784; x=1727858584; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VmANCqOCNLuCE6WgFe5IkbUtz4Dl4MOkNZ8FdlMteZ4=; b=V+Pl2q8YhftYc7znEWOsw7Xd/KvnbmQRt5JLV77HKkG+ZnsOdh9kDr/J6nVOf+Xcyc msNW00PK6wTLTXfsYLo9kuDnC4YoJzOdY4iZ0psTTIgU8QpNgAcEfSyvnxxtkxksQNUs eqQI4HWvzt/nFsJFmVujUgw62etdBQ8rbvAmY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727253784; x=1727858584; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VmANCqOCNLuCE6WgFe5IkbUtz4Dl4MOkNZ8FdlMteZ4=; b=Oipwomul/FYBhcCj0A/fFS+rf6soUu+VL2CTtj3a7GxoyzWkW2nDplq+USvzdaa3+U XV/jhSX0u6UDu+Y55ekmPUAbYx1LszHrGYHjhqrXJ0rEZfJp5Q9eRAiyIqXnFmUODif4 OEpy96PxsJvEkSgQUFq1y06S1aWwd+7sBODQa0Kp5abYuwkEb9uQ8uUod3gEPQbM3360 umu8P7hK7k+Mn+0RWm+Gn2LnczrpKpL+4MbxPB2C6xGo8lTPqjX1wR4jZZ8NNy0aqaaj YU+nah5SO9SiuKH5gmTZ8FPhWeOHVBW/ZNBLuQuAAJFncOjtZPWq/5ybMyfNAKEp/atM 6/OA== X-Gm-Message-State: AOJu0YyaVz91cMZgwHgvKxUwBmPL3FL0iG2s0Cp26dSd1V3yajMDI9Ex hXdpvGM8z3mlLneepbuA+f+K+tt3noiFF1Kw7+HTyHNM3yF/xRuHAjujRgaCsq7mRERvDNOk3dQ k X-Google-Smtp-Source: AGHT+IHcKk7PadNzltiCJe7/SxHQQeAdUrJQe22On1AgtTHr+7rrO+39rxXpoqDaHmR24SJX5+V7XQ== X-Received: by 2002:a05:6402:4416:b0:5c5:c5c0:74ec with SMTP id 4fb4d7f45d1cf-5c7206449d6mr1554436a12.24.1727253784120; Wed, 25 Sep 2024 01:43:04 -0700 (PDT) From: Roger Pau Monne To: xen-devel@lists.xenproject.org Cc: Roger Pau Monne , Ross Lagerwall Subject: [PATCH v2 1/6] xen/livepatch: remove useless check for duplicated sections Date: Wed, 25 Sep 2024 10:42:34 +0200 Message-ID: <20240925084239.85649-2-roger.pau@citrix.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240925084239.85649-1-roger.pau@citrix.com> References: <20240925084239.85649-1-roger.pau@citrix.com> MIME-Version: 1.0 The current check for duplicated sections in a payload is not effective. Such check is done inside a loop that iterates over the sections names, it's logically impossible for the bitmap to be set more than once. The usage of a bitmap in check_patching_sections() has been replaced with a boolean, since the function just cares that at least one of the special sections is present. No functional change intended, as the check was useless. Fixes: 29f4ab0b0a4f ('xsplice: Implement support for applying/reverting/replacing patches.') Fixes: 76b3d4098a92 ('livepatch: Do not enforce ELF_LIVEPATCH_FUNC section presence') Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper and I'm very --- Changes since v1: - New in this version. --- xen/common/livepatch.c | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index d93a556bcda2..df41dcce970a 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -473,7 +473,6 @@ static int check_special_sections(const struct livepatch_elf *elf) static const char *const names[] = { ELF_LIVEPATCH_DEPENDS, ELF_LIVEPATCH_XEN_DEPENDS, ELF_BUILD_ID_NOTE}; - DECLARE_BITMAP(found, ARRAY_SIZE(names)) = { 0 }; for ( i = 0; i < ARRAY_SIZE(names); i++ ) { @@ -493,13 +492,6 @@ static int check_special_sections(const struct livepatch_elf *elf) elf->name, names[i]); return -EINVAL; } - - if ( test_and_set_bit(i, found) ) - { - printk(XENLOG_ERR LIVEPATCH "%s: %s was seen more than once\n", - elf->name, names[i]); - return -EINVAL; - } } return 0; @@ -517,7 +509,7 @@ static int check_patching_sections(const struct livepatch_elf *elf) ELF_LIVEPATCH_PREREVERT_HOOK, ELF_LIVEPATCH_REVERT_HOOK, ELF_LIVEPATCH_POSTREVERT_HOOK}; - DECLARE_BITMAP(found, ARRAY_SIZE(names)) = { 0 }; + bool found = false; /* * The patching sections are optional, but at least one @@ -544,16 +536,11 @@ static int check_patching_sections(const struct livepatch_elf *elf) return -EINVAL; } - if ( test_and_set_bit(i, found) ) - { - printk(XENLOG_ERR LIVEPATCH "%s: %s was seen more than once\n", - elf->name, names[i]); - return -EINVAL; - } + found = true; } /* Checking if at least one section is present. */ - if ( bitmap_empty(found, ARRAY_SIZE(names)) ) + if ( !found ) { printk(XENLOG_ERR LIVEPATCH "%s: Nothing to patch. Aborting...\n", elf->name); From patchwork Wed Sep 25 08:42:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Roger_Pau_Monn=C3=A9?= X-Patchwork-Id: 13811789 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 89B54C369AE for ; Wed, 25 Sep 2024 08:43:19 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.803574.1214245 (Exim 4.92) (envelope-from ) id 1stNc4-0005dz-W7; Wed, 25 Sep 2024 08:43:08 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 803574.1214245; Wed, 25 Sep 2024 08:43:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc4-0005dS-Nl; Wed, 25 Sep 2024 08:43:08 +0000 Received: by outflank-mailman (input) for mailman id 803574; Wed, 25 Sep 2024 08:43:07 +0000 Received: from se1-gles-flk1-in.inumbo.com ([94.247.172.50] helo=se1-gles-flk1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc3-0005NX-R3 for xen-devel@lists.xenproject.org; Wed, 25 Sep 2024 08:43:07 +0000 Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [2a00:1450:4864:20::62b]) by se1-gles-flk1.inumbo.com (Halon) with ESMTPS id 2f257778-7b1a-11ef-99a2-01e77a169b0f; Wed, 25 Sep 2024 10:43:06 +0200 (CEST) Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a8a7596b7dfso116107866b.0 for ; Wed, 25 Sep 2024 01:43:06 -0700 (PDT) Received: from localhost ([213.195.124.163]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9392f54141sm183645366b.83.2024.09.25.01.43.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Sep 2024 01:43:05 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2f257778-7b1a-11ef-99a2-01e77a169b0f DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1727253785; x=1727858585; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nnMSClB/JlHEd0hi+6Yy8qVmR2fgY2lFCm5wFEZMF2U=; b=Ry1waOanimGHbuARzKfPApeBxAfggLOEPjPPb1d2EsX9fo0UIda61dp/k63/MVcsSN aGLHxs4pGdkGX8bgjGyJIHQB+ONFGecH/0VH/nXBtVoL7uJMZMQSavtN01Oer4/wi1kg tULrjZrn+b4rxT7ILRMF2ehtIs8QRz0RAbJCQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727253785; x=1727858585; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nnMSClB/JlHEd0hi+6Yy8qVmR2fgY2lFCm5wFEZMF2U=; b=AF3y6Z4TpkiG0PwsdZMv7TL0Inl/AVrM2rhnJt/jWB1H3LdEHtEtLC4byqJ2Q0vvhN 6xlIv9ueOQIdvK2PiIioSYwRgaAouO4NU3xKVffYY6yGZH9PZeX2HSgfFv7xWlX3+7bA hvQ/jjXowDxrWMiPj22NyDJZusxWShFuAw27nQIvxh2pJwmpWw2Glyp/cYvI5WbvGe0Y u59p8pxDEEhRfiMWPixC4ZiiWOUTrEd1FA+tUiiuAMx/LjbWw2n9X/7Dh5TeO4xLUqqX RtQsOpL98FtKJ87uorlv9FVheeLFF60vQcXdyVzF4+ylg7xSdQGgIfAf9syzYzIKf37M ypiA== X-Gm-Message-State: AOJu0Yz8ZBVOak6HvOXlWdyAuy3B7x7GxOb9AhOZeaXWfieQbDXs3Xk8 Ros2AsmfaJ7tIYByZYTZeTQ3Byf7ZArmYkNMjZ69rtrjT6Iq6PZCzW0WpkjAetg9uoEFCeRNyg/ q X-Google-Smtp-Source: AGHT+IHkJDPHmXBuT9psZKCEzzfYDng6uBeOeq+mOZpku0Vg3D7V/SVe9mQu0aXanUQbwH0gbitggg== X-Received: by 2002:a17:907:6094:b0:a8a:6db7:665d with SMTP id a640c23a62f3a-a93a170470cmr158573766b.17.1727253785521; Wed, 25 Sep 2024 01:43:05 -0700 (PDT) From: Roger Pau Monne To: xen-devel@lists.xenproject.org Cc: Roger Pau Monne , Ross Lagerwall Subject: [PATCH v2 2/6] xen/livepatch: zero pointer to temporary load buffer Date: Wed, 25 Sep 2024 10:42:35 +0200 Message-ID: <20240925084239.85649-3-roger.pau@citrix.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240925084239.85649-1-roger.pau@citrix.com> References: <20240925084239.85649-1-roger.pau@citrix.com> MIME-Version: 1.0 The livepatch_elf_sec data field points to the temporary load buffer, it's the load_addr field that points to the stable loaded section data. Zero the data field once load_addr is set, as it would otherwise become a dangling pointer once the load buffer is freed. No functional change intended. Signed-off-by: Roger Pau Monné --- Changes since v1: - New in this version. --- xen/common/livepatch.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index df41dcce970a..87b3db03e26d 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -383,6 +383,9 @@ static int move_payload(struct payload *payload, struct livepatch_elf *elf) } else memset(elf->sec[i].load_addr, 0, elf->sec[i].sec->sh_size); + + /* Avoid leaking pointers to temporary load buffers. */ + elf->sec[i].data = NULL; } } From patchwork Wed Sep 25 08:42:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Roger_Pau_Monn=C3=A9?= X-Patchwork-Id: 13811791 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B3D2DC369AF for ; Wed, 25 Sep 2024 08:43:19 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.803575.1214260 (Exim 4.92) (envelope-from ) id 1stNc6-000661-60; Wed, 25 Sep 2024 08:43:10 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 803575.1214260; Wed, 25 Sep 2024 08:43:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc6-00065S-16; Wed, 25 Sep 2024 08:43:10 +0000 Received: by outflank-mailman (input) for mailman id 803575; Wed, 25 Sep 2024 08:43:08 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc4-0005cc-ID for xen-devel@lists.xenproject.org; Wed, 25 Sep 2024 08:43:08 +0000 Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [2a00:1450:4864:20::636]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 2fda582a-7b1a-11ef-a0ba-8be0dac302b0; Wed, 25 Sep 2024 10:43:07 +0200 (CEST) Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-a910860e4dcso445900166b.3 for ; Wed, 25 Sep 2024 01:43:07 -0700 (PDT) Received: from localhost ([213.195.124.163]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a93a5d4a6c8sm40342966b.222.2024.09.25.01.43.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Sep 2024 01:43:06 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 2fda582a-7b1a-11ef-a0ba-8be0dac302b0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1727253787; x=1727858587; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/A7anrJKRONUakwDhBF6Xlt3dpj6kBkDkGt4BhpDYoU=; b=dlGUN5i9SeeJh08PT5HlEaXjzObD/cux0syuttMW7JUtfLQsLIMLRqTunqb8lHQopa cOGGhCWZVd/IrzqQb43a9YSEzSsE3sHTfm+YgmLMXmsQtJh+cv21Pom5POAT0BVpkodK EDR6ChtmGXx1ijrqmSQiOjR83guc2TqIT1Zr0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727253787; x=1727858587; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/A7anrJKRONUakwDhBF6Xlt3dpj6kBkDkGt4BhpDYoU=; b=BFR0P9nWomMH/vT6InMxWysltFefRjY16eOVhK7jXHvYhp8fEh7v8FCPO2bbUqQpfh FHJwgu5z+qjxXnpAamYO+WNGhpEbjgF8bnuLVeUxgEdapYbBa/W3cm60eoPx4yrCy4xX uOsonh+38yNoR9NdLilSYyxbH5VREDrmdwkI58+TiRJIeex5tuDIbwobf+1eksvBUSrD iuOJs5wlATUZf/xbNq0cRau5fKFM5HoktVBhry2vUx6Rz3wjyN9n1Icn5xeS6gm4KYGw OheEeGG65ksvkKAuI6qK5sHG1seoIxwkwEqSCha5/t5j5tHya2bk+rD8ooSVMy8qUQqd hoGg== X-Gm-Message-State: AOJu0YwFKaIObVeK5a0oKc+IlwKnJCyY8Ik45qWBf8EZe+NU9qp+L3mK 2XpgVQXF8KuPOWQ+8QalQEfprMwvHqC9g0BYwMzKQuZWjt2DmlrkLz/gBfplijh2+RcZZW3P2e4 b X-Google-Smtp-Source: AGHT+IFsXsuXl+00mO3vs6bnEI07yLJnBo+Ue7Qszr7Px4+ZLH7AGyObwzpvnP6H+I/zoaEFZeyXNQ== X-Received: by 2002:a17:907:f197:b0:a8a:85af:7ae8 with SMTP id a640c23a62f3a-a93a0325159mr172110966b.11.1727253786633; Wed, 25 Sep 2024 01:43:06 -0700 (PDT) From: Roger Pau Monne To: xen-devel@lists.xenproject.org Cc: Roger Pau Monne , Ross Lagerwall Subject: [PATCH v2 3/6] xen/livepatch: simplify and unify logic in prepare_payload() Date: Wed, 25 Sep 2024 10:42:36 +0200 Message-ID: <20240925084239.85649-4-roger.pau@citrix.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240925084239.85649-1-roger.pau@citrix.com> References: <20240925084239.85649-1-roger.pau@citrix.com> MIME-Version: 1.0 The following sections: .note.gnu.build-id, .livepatch.xen_depends and .livepatch.depends are mandatory and ensured to be present by check_special_sections() before prepare_payload() is called. Simplify the logic in prepare_payload() by introducing a generic function to parse the sections that contain a buildid. Note the function assumes the buildid related section to always be present. No functional change intended. Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper --- Changes since v1: - Rename. - Change order of assert. --- xen/common/livepatch.c | 110 +++++++++++++++++++---------------------- 1 file changed, 50 insertions(+), 60 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 87b3db03e26d..8e61083f23a7 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -470,6 +470,31 @@ static int xen_build_id_dep(const struct payload *payload) return 0; } +/* Parses build-id sections into the given destination. */ +static int parse_buildid(const struct livepatch_elf_sec *sec, + struct livepatch_build_id *id) +{ + const Elf_Note *n; + int rc; + + /* Presence of the sections is ensured by check_special_sections(). */ + ASSERT(sec); + + n = sec->load_addr; + + if ( sec->sec->sh_size <= sizeof(*n) ) + return -EINVAL; + + rc = xen_build_id_check(n, sec->sec->sh_size, &id->p, &id->len); + if ( rc ) + return rc; + + if ( !id->len || !id->p ) + return -EINVAL; + + return 0; +} + static int check_special_sections(const struct livepatch_elf *elf) { unsigned int i; @@ -641,11 +666,12 @@ static int prepare_payload(struct payload *payload, struct livepatch_elf *elf) { const struct livepatch_elf_sec *sec; + const struct payload *data; unsigned int i; struct livepatch_func *funcs; struct livepatch_func *f; struct virtual_region *region; - const Elf_Note *n; + int rc; sec = livepatch_elf_sec_by_name(elf, ELF_LIVEPATCH_FUNC); if ( sec ) @@ -663,8 +689,6 @@ static int prepare_payload(struct payload *payload, for ( i = 0; i < payload->nfuncs; i++ ) { - int rc; - f = &(funcs[i]); if ( f->version != LIVEPATCH_PAYLOAD_VERSION ) @@ -707,69 +731,35 @@ static int prepare_payload(struct payload *payload, LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.action, ELF_LIVEPATCH_REVERT_HOOK); LIVEPATCH_ASSIGN_SINGLE_HOOK(elf, payload->hooks.revert.post, ELF_LIVEPATCH_POSTREVERT_HOOK); - sec = livepatch_elf_sec_by_name(elf, ELF_BUILD_ID_NOTE); - if ( sec ) - { - const struct payload *data; - - n = sec->load_addr; - - if ( sec->sec->sh_size <= sizeof(*n) ) - return -EINVAL; - - if ( xen_build_id_check(n, sec->sec->sh_size, - &payload->id.p, &payload->id.len) ) - return -EINVAL; - - if ( !payload->id.len || !payload->id.p ) - return -EINVAL; + rc = parse_buildid(livepatch_elf_sec_by_name(elf, ELF_BUILD_ID_NOTE), + &payload->id); + if ( rc ) + return rc; - /* Make sure it is not a duplicate. */ - list_for_each_entry ( data, &payload_list, list ) + /* Make sure it is not a duplicate. */ + list_for_each_entry ( data, &payload_list, list ) + { + /* No way _this_ payload is on the list. */ + ASSERT(data != payload); + if ( data->id.len == payload->id.len && + !memcmp(data->id.p, payload->id.p, data->id.len) ) { - /* No way _this_ payload is on the list. */ - ASSERT(data != payload); - if ( data->id.len == payload->id.len && - !memcmp(data->id.p, payload->id.p, data->id.len) ) - { - dprintk(XENLOG_DEBUG, LIVEPATCH "%s: Already loaded as %s!\n", - elf->name, data->name); - return -EEXIST; - } + dprintk(XENLOG_DEBUG, LIVEPATCH "%s: Already loaded as %s!\n", + elf->name, data->name); + return -EEXIST; } } - sec = livepatch_elf_sec_by_name(elf, ELF_LIVEPATCH_DEPENDS); - if ( sec ) - { - n = sec->load_addr; - - if ( sec->sec->sh_size <= sizeof(*n) ) - return -EINVAL; - - if ( xen_build_id_check(n, sec->sec->sh_size, - &payload->dep.p, &payload->dep.len) ) - return -EINVAL; - - if ( !payload->dep.len || !payload->dep.p ) - return -EINVAL; - } - - sec = livepatch_elf_sec_by_name(elf, ELF_LIVEPATCH_XEN_DEPENDS); - if ( sec ) - { - n = sec->load_addr; - - if ( sec->sec->sh_size <= sizeof(*n) ) - return -EINVAL; - - if ( xen_build_id_check(n, sec->sec->sh_size, - &payload->xen_dep.p, &payload->xen_dep.len) ) - return -EINVAL; + rc = parse_buildid(livepatch_elf_sec_by_name(elf, ELF_LIVEPATCH_DEPENDS), + &payload->dep); + if ( rc ) + return rc; - if ( !payload->xen_dep.len || !payload->xen_dep.p ) - return -EINVAL; - } + rc = parse_buildid(livepatch_elf_sec_by_name(elf, + ELF_LIVEPATCH_XEN_DEPENDS), + &payload->xen_dep); + if ( rc ) + return rc; /* Setup the virtual region with proper data. */ region = &payload->region; From patchwork Wed Sep 25 08:42:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Roger_Pau_Monn=C3=A9?= X-Patchwork-Id: 13811792 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B94A6C369AA for ; Wed, 25 Sep 2024 08:43:20 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.803576.1214265 (Exim 4.92) (envelope-from ) id 1stNc6-0006Ax-IF; Wed, 25 Sep 2024 08:43:10 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 803576.1214265; Wed, 25 Sep 2024 08:43:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc6-0006Ae-An; Wed, 25 Sep 2024 08:43:10 +0000 Received: by outflank-mailman (input) for mailman id 803576; Wed, 25 Sep 2024 08:43:09 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc5-0005cc-DY for xen-devel@lists.xenproject.org; Wed, 25 Sep 2024 08:43:09 +0000 Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [2a00:1450:4864:20::133]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 30ae02e0-7b1a-11ef-a0ba-8be0dac302b0; Wed, 25 Sep 2024 10:43:08 +0200 (CEST) Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-53660856a21so6343505e87.2 for ; Wed, 25 Sep 2024 01:43:08 -0700 (PDT) Received: from localhost ([213.195.124.163]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5c5cf4d790esm1618283a12.92.2024.09.25.01.43.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Sep 2024 01:43:07 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 30ae02e0-7b1a-11ef-a0ba-8be0dac302b0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1727253788; x=1727858588; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=A9Q7t84HRCJN2WRRUodHKbS/3EHi7/hM9/1ZhkVtq7c=; b=Y8hPbvqFnPr2j/FNBWR/FNVnNLzyZx7SGcJLUjmaMcmMzkl680CM13zLf4dKYdBupq uPU4R/rVEDFIWg53AA7fDP4u9lZLw6HT+UNk3XT12fU69LPTknETkhTXS4VytAqqy9pp j2MA3j3xc0QFlN7GBcAZSsHDMKUk9Sw8j8bu0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727253788; x=1727858588; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=A9Q7t84HRCJN2WRRUodHKbS/3EHi7/hM9/1ZhkVtq7c=; b=MswkH8Xqxht/krb4QCWF4jyuSKbH4TlH9Yp9SJYFjZQBN8Ehd4VFX6PbMFck45/eKc p4Pfh3o71v1gSm/3PkgZm52uu1G/5vp0VR2q5t6ssFh42Ql6u+/47Hr95qW1ekvBebWv 6BRcT4ID7DtqUtNXgp+Csx+2IhNj0TCAQ9Pr7WOX+td1uRwessH8TqqrL5KWbxA4Ykao 4NId5lW9GZX6xpfCwhbTxFmR1yEZDoJpqzUnnLQDLoAff47ARWCd9nA9mbhJw0Hcj/Rz o4s3cNb9ZHrKwVXHYlZjkCeXBfEOWo8Wj6zorqqdYOspzwE94LbnVFVKHGrh++hH2GfN X4rA== X-Gm-Message-State: AOJu0Yy5dO/pU+AY//7RMMrrSprDEjH1Mwi67F0+8ERCl9I8QJcaZA00 3WrieXoTCKsa6cOE7aGaBPdrsBRgSGxyWAGdzWmxeexcYOXDr548+YU+8itfrVBXeSaZKekGvSf M X-Google-Smtp-Source: AGHT+IFhYdpG5GjPV0eqkcQQJQJRo3wZvmC0rPSjF1eiOtrojuILBGTSMe1wj+c/riPnvnh5u3iH9Q== X-Received: by 2002:a05:6512:108b:b0:52c:e05e:849b with SMTP id 2adb3069b0e04-5387755e295mr1025203e87.39.1727253787949; Wed, 25 Sep 2024 01:43:07 -0700 (PDT) From: Roger Pau Monne To: xen-devel@lists.xenproject.org Cc: Roger Pau Monne , Ross Lagerwall Subject: [PATCH v2 4/6] xen/livepatch: do Xen build-id check earlier Date: Wed, 25 Sep 2024 10:42:37 +0200 Message-ID: <20240925084239.85649-5-roger.pau@citrix.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240925084239.85649-1-roger.pau@citrix.com> References: <20240925084239.85649-1-roger.pau@citrix.com> MIME-Version: 1.0 The check against the expected Xen build ID should be done ahead of attempting to apply the alternatives contained in the livepatch. If the CPUID in the alternatives patching data is out of the scope of the running Xen featureset the BUG() in _apply_alternatives() will trigger thus bringing the system down. Note the layout of struct alt_instr could also change between versions. It's also possible for struct exception_table_entry to have changed format, hence leading to other kind of errors if parsing of the payload is done ahead of checking if the Xen build-id matches. Move the Xen build ID check as early as possible. To do so introduce a new check_xen_buildid() function that parses and checks the Xen build-id before moving the payload. Since the expected Xen build-id is used early to detect whether the livepatch payload could be loaded, there's no reason to store it in the payload struct, as a non-matching Xen build-id won't get the payload populated in the first place. Note parse_buildid() has to be slightly adjusted to allow fetching the section data from the 'data' field instead of the 'load_addr' one: with the Xen build ID moved ahead of move_payload() 'load_addr' is not yet set when the Xen build ID check is performed. Also printing the expected Xen build ID has part of dumping the payload is no longer done, as all loaded payloads would have Xen build IDs matching the running Xen, otherwise they would have failed to load. Fixes: 879615f5db1d ('livepatch: Always check hypervisor build ID upon livepatch upload') Signed-off-by: Roger Pau Monné --- Changes since v1: - Do the Xen build-id check even earlier. --- xen/common/livepatch.c | 66 +++++++++++++++++++---------- xen/include/xen/livepatch_payload.h | 1 - 2 files changed, 44 insertions(+), 23 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 8e61083f23a7..895c425cd5ea 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -448,24 +448,21 @@ static bool section_ok(const struct livepatch_elf *elf, return true; } -static int xen_build_id_dep(const struct payload *payload) +static int xen_build_id_dep(const struct livepatch_build_id *expected) { const void *id = NULL; unsigned int len = 0; int rc; - ASSERT(payload->xen_dep.len); - ASSERT(payload->xen_dep.p); + ASSERT(expected->len); + ASSERT(expected->p); rc = xen_build_id(&id, &len); if ( rc ) return rc; - if ( payload->xen_dep.len != len || memcmp(id, payload->xen_dep.p, len) ) { - printk(XENLOG_ERR LIVEPATCH "%s: check against hypervisor build-id failed\n", - payload->name); + if ( expected->len != len || memcmp(id, expected->p, len) ) return -EINVAL; - } return 0; } @@ -480,7 +477,8 @@ static int parse_buildid(const struct livepatch_elf_sec *sec, /* Presence of the sections is ensured by check_special_sections(). */ ASSERT(sec); - n = sec->load_addr; + /* Possibly use the temporary load buffer if load_addr isn't yet set. */ + n = sec->load_addr ?: sec->data; if ( sec->sec->sh_size <= sizeof(*n) ) return -EINVAL; @@ -495,11 +493,44 @@ static int parse_buildid(const struct livepatch_elf_sec *sec, return 0; } +static int check_xen_buildid(const struct livepatch_elf *elf) +{ + struct livepatch_build_id id; + const struct livepatch_elf_sec *sec = + livepatch_elf_sec_by_name(elf, ELF_LIVEPATCH_XEN_DEPENDS); + int rc; + + if ( !sec ) + { + printk(XENLOG_ERR LIVEPATCH "%s: %s is missing\n", + elf->name, ELF_LIVEPATCH_XEN_DEPENDS); + return -EINVAL; + } + + rc = parse_buildid(sec, &id); + if ( rc ) + { + printk(XENLOG_ERR LIVEPATCH "%s: failed to parse build-id at %s: %d\n", + elf->name, ELF_LIVEPATCH_XEN_DEPENDS, rc); + return -EINVAL; + } + + rc = xen_build_id_dep(&id); + if ( rc ) + { + printk(XENLOG_ERR LIVEPATCH + "%s: check against hypervisor build-id failed: %d\n", + elf->name, rc); + return -EINVAL; + } + + return 0; +} + static int check_special_sections(const struct livepatch_elf *elf) { unsigned int i; static const char *const names[] = { ELF_LIVEPATCH_DEPENDS, - ELF_LIVEPATCH_XEN_DEPENDS, ELF_BUILD_ID_NOTE}; for ( i = 0; i < ARRAY_SIZE(names); i++ ) @@ -755,12 +786,6 @@ static int prepare_payload(struct payload *payload, if ( rc ) return rc; - rc = parse_buildid(livepatch_elf_sec_by_name(elf, - ELF_LIVEPATCH_XEN_DEPENDS), - &payload->xen_dep); - if ( rc ) - return rc; - /* Setup the virtual region with proper data. */ region = &payload->region; @@ -1069,6 +1094,10 @@ static int load_payload_data(struct payload *payload, void *raw, size_t len) if ( rc ) goto out; + rc = check_xen_buildid(&elf); + if ( rc ) + goto out; + rc = move_payload(payload, &elf); if ( rc ) goto out; @@ -1093,10 +1122,6 @@ static int load_payload_data(struct payload *payload, void *raw, size_t len) if ( rc ) goto out; - rc = xen_build_id_dep(payload); - if ( rc ) - goto out; - rc = build_symbol_table(payload, &elf); if ( rc ) goto out; @@ -2199,9 +2224,6 @@ static void cf_check livepatch_printall(unsigned char key) if ( data->dep.len ) printk("depend-on=%*phN\n", data->dep.len, data->dep.p); - - if ( data->xen_dep.len ) - printk("depend-on-xen=%*phN\n", data->xen_dep.len, data->xen_dep.p); } spin_unlock(&payload_lock); diff --git a/xen/include/xen/livepatch_payload.h b/xen/include/xen/livepatch_payload.h index 472d6a4a63c1..c6dc7cb5fa21 100644 --- a/xen/include/xen/livepatch_payload.h +++ b/xen/include/xen/livepatch_payload.h @@ -62,7 +62,6 @@ struct payload { unsigned int nsyms; /* Nr of entries in .strtab and symbols. */ struct livepatch_build_id id; /* ELFNOTE_DESC(.note.gnu.build-id) of the payload. */ struct livepatch_build_id dep; /* ELFNOTE_DESC(.livepatch.depends). */ - struct livepatch_build_id xen_dep; /* ELFNOTE_DESC(.livepatch.xen_depends). */ livepatch_loadcall_t *const *load_funcs; /* The array of funcs to call after */ livepatch_unloadcall_t *const *unload_funcs;/* load and unload of the payload. */ struct livepatch_hooks hooks; /* Pre and post hooks for apply and revert */ From patchwork Wed Sep 25 08:42:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Roger_Pau_Monn=C3=A9?= X-Patchwork-Id: 13811793 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A94E7C369AB for ; Wed, 25 Sep 2024 08:43:21 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.803577.1214279 (Exim 4.92) (envelope-from ) id 1stNc7-0006db-Ur; Wed, 25 Sep 2024 08:43:11 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 803577.1214279; Wed, 25 Sep 2024 08:43:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc7-0006dF-R7; Wed, 25 Sep 2024 08:43:11 +0000 Received: by outflank-mailman (input) for mailman id 803577; Wed, 25 Sep 2024 08:43:10 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc6-0005cc-NC for xen-devel@lists.xenproject.org; Wed, 25 Sep 2024 08:43:10 +0000 Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [2a00:1450:4864:20::12c]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 316db50a-7b1a-11ef-a0ba-8be0dac302b0; Wed, 25 Sep 2024 10:43:10 +0200 (CEST) Received: by mail-lf1-x12c.google.com with SMTP id 2adb3069b0e04-53659867cbdso9526179e87.3 for ; Wed, 25 Sep 2024 01:43:10 -0700 (PDT) Received: from localhost ([213.195.124.163]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9392f342b2sm186015666b.35.2024.09.25.01.43.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Sep 2024 01:43:08 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 316db50a-7b1a-11ef-a0ba-8be0dac302b0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1727253789; x=1727858589; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OIoU0qLfgLq7otbwa+2RabVnL5gbGYSnBya+EH+CZUc=; b=ERtN6oMhiFptWQSrK1zE+UjA9479uOME3KUOJxFAfwO/B++VYqEHOLDKcK7vAr4RS6 ES8aIMWrIF1XzhmqDfH73HZeWjx1xgAgTURet51w4oAq+Ub+4kEi9J6p13nynYYYDU+d ZbhqxQ9oE5PZGB7xICwuh3sBRhmLBTl1XVXzs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727253789; x=1727858589; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OIoU0qLfgLq7otbwa+2RabVnL5gbGYSnBya+EH+CZUc=; b=BqBPR6tvGF7RPM3hbGN1NMv9DztuIFizFzyQb5Ris6RJRlm+pAiVBIS8Uj4fHgwIQx H0xOg/9JQUXvGDa/PpUmCGymehPHqEUaJpjeAdVal7Ev9325CkZa6FmP1LxxVb74kFbT 8AC17Ke5qAiJPr6aHFtjQDgOIV18/bWBrfChjMvCPbs5hpDIjDdzIDT4zB88tRTH4cU9 NRG8GniCKcZJRHKLOueasrLvNeGyi5X73r+51DcxddGP25jiZJYgP+G5at/zRqXGRY9V 5Yd8DKuzQu4VVLKAGgg9EKXlzIpMBU31mfDnzdzOB9g/GmrshFHJZaFhqojQW5Fa78E9 t12g== X-Gm-Message-State: AOJu0YwBdSd7zuMnhekvpMv9bXsyc3bV2YZo0Jiun/9PKkCVQUBqCIXG X5C6kRBzYxlTdPvoENKF9dqcs1LditlqDeWcfN7ES6HmHH/iwYZ/MyDXgOKZbybNC5/eGaNjiM8 4 X-Google-Smtp-Source: AGHT+IGAJxXrOJKWWYE++Az9EmNjRFtYtY10OTMbUrs4O6zomSSaPkMP+kehHNh2F/62zfuytT44Ig== X-Received: by 2002:a05:6512:a8d:b0:536:53e3:feae with SMTP id 2adb3069b0e04-5387048a6cbmr1383668e87.11.1727253789227; Wed, 25 Sep 2024 01:43:09 -0700 (PDT) From: Roger Pau Monne To: xen-devel@lists.xenproject.org Cc: Roger Pau Monne , Jan Beulich , Andrew Cooper , Ross Lagerwall Subject: [PATCH v2 5/6] x86/alternatives: do not BUG during apply Date: Wed, 25 Sep 2024 10:42:38 +0200 Message-ID: <20240925084239.85649-6-roger.pau@citrix.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240925084239.85649-1-roger.pau@citrix.com> References: <20240925084239.85649-1-roger.pau@citrix.com> MIME-Version: 1.0 alternatives is used both at boot time, and when loading livepatch payloads. While for the former it makes sense to panic, it's not useful for the later, as for livepatches it's possible to fail to load the livepatch if alternatives cannot be resolved and continue operating normally. Relax the BUGs in _apply_alternatives() to instead return an error code. The caller will figure out whether the failures are fatal and panic. Print an error message to provide some user-readable information about what went wrong. Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- Changes since v1: - Unconditionally return from _apply_alternative() and let the caller panic if required. - Remove test, as next patch imposes restrictions that break the test. --- xen/arch/x86/alternative.c | 46 ++++++++++++++++++++------ xen/arch/x86/include/asm/alternative.h | 2 +- xen/common/livepatch.c | 10 +++++- 3 files changed, 46 insertions(+), 12 deletions(-) diff --git a/xen/arch/x86/alternative.c b/xen/arch/x86/alternative.c index 7824053c9d33..c8848ba6006e 100644 --- a/xen/arch/x86/alternative.c +++ b/xen/arch/x86/alternative.c @@ -175,9 +175,9 @@ extern void *const __initdata_cf_clobber_end[]; * invocation, such that no CALLs/JMPs to NULL pointers will be left * around. See also the further comment below. */ -static void init_or_livepatch _apply_alternatives(struct alt_instr *start, - struct alt_instr *end, - bool force) +static int init_or_livepatch _apply_alternatives(struct alt_instr *start, + struct alt_instr *end, + bool force) { struct alt_instr *a, *base; @@ -198,9 +198,29 @@ static void init_or_livepatch _apply_alternatives(struct alt_instr *start, uint8_t buf[MAX_PATCH_LEN]; unsigned int total_len = a->orig_len + a->pad_len; - BUG_ON(a->repl_len > total_len); - BUG_ON(total_len > sizeof(buf)); - BUG_ON(a->cpuid >= NCAPINTS * 32); + if ( a->repl_len > total_len ) + { + printk(XENLOG_ERR + "alt replacement size (%#x) bigger than destination (%#x)\n", + a->repl_len, total_len); + return -ENOSPC; + } + + if ( total_len > sizeof(buf) ) + { + printk(XENLOG_ERR + "alt destination size (%#x) bigger than buffer (%#zx)\n", + total_len, sizeof(buf)); + return -ENOSPC; + } + + if ( a->cpuid >= NCAPINTS * 32 ) + { + printk(XENLOG_ERR + "alt CPU feature (%#x) outside of featureset range (%#x)\n", + a->cpuid, NCAPINTS * 32); + return -ERANGE; + } /* * Detect sequences of alt_instr's patching the same origin site, and @@ -356,12 +376,14 @@ static void init_or_livepatch _apply_alternatives(struct alt_instr *start, printk("altcall: Optimised away %u endbr64 instructions\n", clobbered); } + + return 0; } #ifdef CONFIG_LIVEPATCH -void apply_alternatives(struct alt_instr *start, struct alt_instr *end) +int apply_alternatives(struct alt_instr *start, struct alt_instr *end) { - _apply_alternatives(start, end, true); + return _apply_alternatives(start, end, true); } #endif @@ -383,6 +405,8 @@ static int __init cf_check nmi_apply_alternatives( */ if ( !(alt_done & alt_todo) ) { + int rc; + /* * Relax perms on .text to be RWX, so we can modify them. * @@ -394,8 +418,10 @@ static int __init cf_check nmi_apply_alternatives( PAGE_HYPERVISOR_RWX); flush_local(FLUSH_TLB_GLOBAL); - _apply_alternatives(__alt_instructions, __alt_instructions_end, - alt_done); + rc = _apply_alternatives(__alt_instructions, __alt_instructions_end, + alt_done); + if ( rc ) + panic("Unable to apply alternatives: %d\n", rc); /* * Reinstate perms on .text to be RX. This also cleans out the dirty diff --git a/xen/arch/x86/include/asm/alternative.h b/xen/arch/x86/include/asm/alternative.h index a86eadfaecbd..69555d781ef9 100644 --- a/xen/arch/x86/include/asm/alternative.h +++ b/xen/arch/x86/include/asm/alternative.h @@ -24,7 +24,7 @@ struct __packed alt_instr { extern void add_nops(void *insns, unsigned int len); /* Similar to alternative_instructions except it can be run with IRQs enabled. */ -extern void apply_alternatives(struct alt_instr *start, struct alt_instr *end); +extern int apply_alternatives(struct alt_instr *start, struct alt_instr *end); extern void alternative_instructions(void); extern void alternative_branches(void); diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 895c425cd5ea..c777f64d88d4 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -896,7 +896,15 @@ static int prepare_payload(struct payload *payload, return -EINVAL; } } - apply_alternatives(start, end); + + rc = apply_alternatives(start, end); + if ( rc ) + { + printk(XENLOG_ERR LIVEPATCH "%s applying alternatives failed: %d\n", + elf->name, rc); + return rc; + } + alt_done:; #else printk(XENLOG_ERR LIVEPATCH "%s: We don't support alternative patching\n", From patchwork Wed Sep 25 08:42:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Roger_Pau_Monn=C3=A9?= X-Patchwork-Id: 13811788 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BB2E9C369AB for ; Wed, 25 Sep 2024 08:43:18 +0000 (UTC) Received: from list by lists.xenproject.org with outflank-mailman.803578.1214289 (Exim 4.92) (envelope-from ) id 1stNc9-0006uZ-7t; Wed, 25 Sep 2024 08:43:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 803578.1214289; Wed, 25 Sep 2024 08:43:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc9-0006u6-3w; Wed, 25 Sep 2024 08:43:13 +0000 Received: by outflank-mailman (input) for mailman id 803578; Wed, 25 Sep 2024 08:43:12 +0000 Received: from se1-gles-sth1-in.inumbo.com ([159.253.27.254] helo=se1-gles-sth1.inumbo.com) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1stNc8-0005cc-9Y for xen-devel@lists.xenproject.org; Wed, 25 Sep 2024 08:43:12 +0000 Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [2a00:1450:4864:20::12d]) by se1-gles-sth1.inumbo.com (Halon) with ESMTPS id 3261813b-7b1a-11ef-a0ba-8be0dac302b0; Wed, 25 Sep 2024 10:43:11 +0200 (CEST) Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-53655b9bbcdso7758254e87.2 for ; Wed, 25 Sep 2024 01:43:11 -0700 (PDT) Received: from localhost ([213.195.124.163]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5c5cf49dd5asm1622425a12.54.2024.09.25.01.43.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Sep 2024 01:43:10 -0700 (PDT) X-BeenThere: xen-devel@lists.xenproject.org List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xenproject.org Precedence: list Sender: "Xen-devel" X-Inumbo-ID: 3261813b-7b1a-11ef-a0ba-8be0dac302b0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=citrix.com; s=google; t=1727253790; x=1727858590; darn=lists.xenproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rrbFrcCzYWqGSlmqm3wvIVsZFjBZlvkit6WWzCebR78=; b=h5EDLLBWm3irhhH5RwI9Ay1w4no/akJzdHNv0Txoq0BOQ4Zl2ya8rNe5lpcyXmCuZx eVG7bYrKov7Am3LKeGYKspKLod5L+nTUIW52aBK15YKH4Lci4ben1FcRZxhVvm5M6FPo Harzt0sdPBn8KNN0KBtTIbzd/6eu2HTQUJ358= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727253790; x=1727858590; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rrbFrcCzYWqGSlmqm3wvIVsZFjBZlvkit6WWzCebR78=; b=MFCQnAEAGWXNJEJERBmDsdWYvvcc1gxR3nLzbgPyZFom7DesaVNIY4fManGHlt8CLT EW9EDZL8xH1M0reXKeF9BC8C5F0zJtDUZui8EChPsSlLfFjRVy/wiknqN/oqBpvW84hS Vw7XEaPTyywqX0DX2EN0A0q5Zh14hTEG3hELoWELiMDxZW4arVj454h1uZTrKP5/IHsR AktUNpv+Ap8+qcXmAvSWqmGfxwAt9wA0xM4FOQ/GkJ4h71JVzHpFzpEc2OKE7M0uJ2A/ XhHpJBQ8BtJjkKpWquZAfDdhyF89wR7pPJygocx9k20D97yvsUV/RVwv3mN8GGhPq7X7 UkAQ== X-Gm-Message-State: AOJu0YzJmqBoi6WJ6LlwBsNeYD2iqB+4NTgAVow7D1oPFLEX7CITOi54 NZGpCU7GlNt1H+Re7MW7JmCoENd69Uo/TSVI6chNzmywC4/NPFunh3GZ9eunIxZnyBnBEuxu5sc D X-Google-Smtp-Source: AGHT+IF4iBlhUrjeezjidJmN8G+fTE1LWrk+c4d+nA9SwONISctrd7n8uEp8ZsmksdKzywULm6KjSA== X-Received: by 2002:a05:6512:318c:b0:536:542d:d7e8 with SMTP id 2adb3069b0e04-5387048ad56mr1099902e87.8.1727253790416; Wed, 25 Sep 2024 01:43:10 -0700 (PDT) From: Roger Pau Monne To: xen-devel@lists.xenproject.org Cc: Roger Pau Monne , Jan Beulich , Andrew Cooper Subject: [PATCH v2 6/6] x86/alternative: build time check feature is in range Date: Wed, 25 Sep 2024 10:42:39 +0200 Message-ID: <20240925084239.85649-7-roger.pau@citrix.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240925084239.85649-1-roger.pau@citrix.com> References: <20240925084239.85649-1-roger.pau@citrix.com> MIME-Version: 1.0 Ensure at build time the feature(s) used for the alternative blocks are in range of the featureset. No functional change intended, as all current usages are correct. Signed-off-by: Roger Pau Monné --- Changes since v1: - New in this version. --- xen/arch/x86/include/asm/alternative-asm.h | 3 +++ xen/arch/x86/include/asm/alternative.h | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/xen/arch/x86/include/asm/alternative-asm.h b/xen/arch/x86/include/asm/alternative-asm.h index 4092f5ba70a6..83e8594f0eaf 100644 --- a/xen/arch/x86/include/asm/alternative-asm.h +++ b/xen/arch/x86/include/asm/alternative-asm.h @@ -12,6 +12,9 @@ * instruction. See apply_alternatives(). */ .macro altinstruction_entry orig, repl, feature, orig_len, repl_len, pad_len + .if \feature >= NCAPINTS * 32 + .error "alternative feature outside of featureset range" + .endif .long \orig - . .long \repl - . .word \feature diff --git a/xen/arch/x86/include/asm/alternative.h b/xen/arch/x86/include/asm/alternative.h index 69555d781ef9..b7f155994b2c 100644 --- a/xen/arch/x86/include/asm/alternative.h +++ b/xen/arch/x86/include/asm/alternative.h @@ -7,6 +7,7 @@ #include #include #include +#include struct __packed alt_instr { int32_t orig_offset; /* original instruction */ @@ -59,6 +60,9 @@ extern void alternative_branches(void); alt_repl_len(n2)) "-" alt_orig_len) #define ALTINSTR_ENTRY(feature, num) \ + " .if " __stringify(feature) " >= " __stringify(NCAPINTS * 32) "\n"\ + " .error \"alternative feature outside of featureset range\"\n" \ + " .endif\n" \ " .long .LXEN%=_orig_s - .\n" /* label */ \ " .long " alt_repl_s(num)" - .\n" /* new instruction */ \ " .word " __stringify(feature) "\n" /* feature bit */ \