diff mbox

[v5,08/16] livepatch/arm/x86: Check payload for for unwelcomed symbols.

Message ID 20160923161504.GG25028@char.us.oracle.com (mailing list archive)
State New, archived
Headers show

Commit Message

Konrad Rzeszutek Wilk Sept. 23, 2016, 4:15 p.m. UTC 
> >  int arch_livepatch_perform_rel(struct livepatch_elf *elf,
> >                                 const struct livepatch_elf_sec *base,
> >                                 const struct livepatch_elf_sec *rela)
> > diff --git a/xen/common/livepatch_elf.c b/xen/common/livepatch_elf.c
> > index f46990e..ec74beb 100644
> > --- a/xen/common/livepatch_elf.c
> > +++ b/xen/common/livepatch_elf.c
> > @@ -251,6 +251,13 @@ static int elf_get_sym(struct livepatch_elf *elf, const void *data)
> > 
> >          sym[i].sym = s;
> >          sym[i].name = strtab_sec->data + delta;
> > +        /* e.g. On ARM we should NEVER see $t* symbols. */
> 
> I'd prefer this comment in ARM's arch_livepatch_symbol_deny.

I removed the comment from common code. With the latest patch each architecture
has its own implementation of arch_livepatch_symbol_deny.

> 
> Either way,
> Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>

Thanks.

Here is how the updated patch looks like:

From b84b478c4214f97e809f659fe348493c48a51d0c Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Tue, 13 Sep 2016 13:15:07 -0400
Subject: [PATCH v6] livepatch/arm/x86: Check payload for for unwelcomed
 symbols.

Certain platforms, such as ARM [32|64] add extra mapping symbols
such as $x (for ARM64 instructions), or more interesting to
this patch: $t (for Thumb instructions). These symbols are supposed
to help the final linker to make any adjustments (such as
add an veneer). But more importantly - we do not compile Xen
with any Thumb instructions (which are variable length) - and
if we find these mapping symbols we should disallow such payload.

Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Julien Grall <julien.grall@arm.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Ross Lagerwall <ross.lagerwall@citrix.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Julien Grall <julien.grall@arm.com
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>

v3: New submission.
    Use &sym[i] instead of sym (as that will always be NULL).
v4: Use bool instead of int for return
    Update comment in common code about ARM odd symbols.
    s/_check/_deny/ to make it more clear.
v5: Also check for $t.* wildcard.
    Use Julien's variant where we roll the [2] check in the return.
v6: s/suppose/supposed/ in commit description.
    Move arch_livepatch_symbol_deny in arm[32|64]/livepatch.c
    Added Julien's Reviewed-by.
    Added Ross's Reviewed-by.
    Removed comment from common code talking about $t symbol.
---
 xen/arch/arm/arm32/livepatch.c | 13 +++++++++++++
 xen/arch/arm/arm64/livepatch.c |  7 +++++++
 xen/arch/x86/livepatch.c       |  7 +++++++
 xen/common/livepatch_elf.c     |  6 ++++++
 xen/include/xen/livepatch.h    |  2 ++
 5 files changed, 35 insertions(+)
diff mbox

Patch

diff --git a/xen/arch/arm/arm32/livepatch.c b/xen/arch/arm/arm32/livepatch.c
index 80f9646..5fc2e63 100644
--- a/xen/arch/arm/arm32/livepatch.c
+++ b/xen/arch/arm/arm32/livepatch.c
@@ -20,6 +20,19 @@  int arch_livepatch_verify_elf(const struct livepatch_elf *elf)
     return -EOPNOTSUPP;
 }
 
+bool arch_livepatch_symbol_deny(const struct livepatch_elf *elf,
+                                const struct livepatch_elf_sym *sym)
+{
+    /*
+     * Xen does not use Thumb instructions - and we should not see any of
+     * them. If we do, abort.
+     */
+    if ( sym->name && sym->name[0] == '$' && sym->name[1] == 't' )
+        return ( !sym->name[2] || sym->name[2] == '.' );
+
+    return false;
+}
+
 int arch_livepatch_perform_rela(struct livepatch_elf *elf,
                                 const struct livepatch_elf_sec *base,
                                 const struct livepatch_elf_sec *rela)
diff --git a/xen/arch/arm/arm64/livepatch.c b/xen/arch/arm/arm64/livepatch.c
index 774f845..f148927 100644
--- a/xen/arch/arm/arm64/livepatch.c
+++ b/xen/arch/arm/arm64/livepatch.c
@@ -90,6 +90,13 @@  int arch_livepatch_verify_elf(const struct livepatch_elf *elf)
     return 0;
 }
 
+bool arch_livepatch_symbol_deny(const struct livepatch_elf *elf,
+                                const struct livepatch_elf_sym *sym)
+{
+    /* No special checks on ARM 64. */
+    return false;
+}
+
 enum aarch64_reloc_op {
     RELOC_OP_NONE,
     RELOC_OP_ABS,
diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c
index 7a369a0..9663ef6 100644
--- a/xen/arch/x86/livepatch.c
+++ b/xen/arch/x86/livepatch.c
@@ -131,6 +131,13 @@  bool arch_livepatch_symbol_ok(const struct livepatch_elf *elf,
     return true;
 }
 
+bool arch_livepatch_symbol_deny(const struct livepatch_elf *elf,
+                                const struct livepatch_elf_sym *sym)
+{
+    /* No special checks on x86. */
+    return false;
+}
+
 int arch_livepatch_perform_rel(struct livepatch_elf *elf,
                                const struct livepatch_elf_sec *base,
                                const struct livepatch_elf_sec *rela)
diff --git a/xen/common/livepatch_elf.c b/xen/common/livepatch_elf.c
index dec904a..c4a9633 100644
--- a/xen/common/livepatch_elf.c
+++ b/xen/common/livepatch_elf.c
@@ -251,6 +251,12 @@  static int elf_get_sym(struct livepatch_elf *elf, const void *data)
 
         sym[i].sym = s;
         sym[i].name = strtab_sec->data + delta;
+        if ( arch_livepatch_symbol_deny(elf, &sym[i]) )
+        {
+            dprintk(XENLOG_ERR, LIVEPATCH "%s: Symbol '%s' should not be in payload!\n",
+                    elf->name, sym[i].name);
+            return -EINVAL;
+        }
     }
     elf->nsym = nsym;
 
diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h
index e8c67d6..98ec012 100644
--- a/xen/include/xen/livepatch.h
+++ b/xen/include/xen/livepatch.h
@@ -50,6 +50,8 @@  bool_t is_patch(const void *addr);
 int arch_livepatch_verify_elf(const struct livepatch_elf *elf);
 bool arch_livepatch_symbol_ok(const struct livepatch_elf *elf,
                               const struct livepatch_elf_sym *sym);
+bool arch_livepatch_symbol_deny(const struct livepatch_elf *elf,
+                                const struct livepatch_elf_sym *sym);
 int arch_livepatch_perform_rel(struct livepatch_elf *elf,
                                const struct livepatch_elf_sec *base,
                                const struct livepatch_elf_sec *rela);