Xen GitHub #2
Open
Xen GitHub #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To get more out of the analysis, increase some buffers and limits. Signed-off-by: Norbert Manthey <[email protected]>
Cleanup all files that have been created. Signed-off-by: Norbert Manthey <[email protected]>
Instead of cutting gadgets off, report the information that would have been used to cut them off. Signed-off-by: Norbert Manthey <[email protected]>
This method is used to be able to decide whether a function name matched the "do_" ... "_op" structure of some Xen hypercalls. Signed-off-by: Norbert Manthey <[email protected]>
In case a function name matches the structure of a Xen hypercall, match it, and treat it as a kernel syscall. Currently, possible hypercalls are identified via string patterns, starting with "do_" or "hvm_" or "arch_", and ending with "_op", "_op_compat" or "_op_compat32", respectively. Signed-off-by: Norbert Manthey <[email protected]>
Add functions that access guest data, and teach smatch about the parameter that points to the user data. As there are multiple flavors, try to be exhaustive. Signed-off-by: Norbert Manthey <[email protected]>
Signed-off-by: Norbert Manthey <[email protected]>
The second argument of hypercalls is user controlled. Hence, register these functions as source of user data. Signed-off-by: Norbert Manthey <[email protected]>
During instruction emulation, data from the guest context is brought into the hypervisor context in several ways. Teach smatch about these functions, so that the data can be tracked. Signed-off-by: Norbert Manthey <[email protected]>
During emulation, we might read from user registers. As those are controlled by the guest, also track them during taint analysis. Signed-off-by: Norbert Manthey <[email protected]>
Make sure we use the copy_from_guest function everywhere we use copy_from_user, to get the same filtering functionality. Signed-off-by: Norbert Manthey <[email protected]>
Similarly to the kernel, add a script that analyzes Xen. This script uses one-line-scan to wrap smatch in the build process. The script is taken from the test_kernel script. Different version of Xen might be built with different compilers. Therefore, we allow to specify the environment variable SMATCH_ONE_LINE_SCAN_ARSG, which can be used to forward command line parameters to one-line-scan, for example compiler prefix or suffix. Signed-off-by: Norbert Manthey <[email protected]> Signed-off-by: Dan Carpenter <[email protected]>
This script is taken from the script for the kernel. The project name is kept as "kernel", as this project name enables many analysis techniques in smatch. The major difference is that the test_xen.sh script is called, instead of the test_kernel.sh script. Signed-off-by: Norbert Manthey <[email protected]> Signed-off-by: Dan Carpenter <[email protected]>
Similarly to copy_from_user, we want to make sure that smatch keeps the copy_from_guest feature working in the future. Signed-off-by: Norbert Manthey <[email protected]>
For special kernel builds, we are interested in parameterizing the build command, e.g. to specify different values for CC or HOSTCC. To allow this, adapt the script to consume such a variable. Signed-off-by: Norbert Manthey <[email protected]>
This script can be used to detect all candidates for speculative leak gadgets. This script only takes care of building the hypervisor with the smatch tool support. As long as new defect candidates are detected, the script will continue. Furthermore, an upper bound is set to stop the detection at some point. Note, smatch is tracking state locally, and miproves its results when being executed multiple times in a row. To detect newly introduced defects, this tool should be used on the old change and the new change, so that the differences in the output can be compared. Due to the time based behavior of smatch, there might be differences in the output that are not caused by code changes. Signed-off-by: Norbert Manthey <[email protected]>
error27
pushed a commit
that referenced
this pull request
Apr 21, 2022
Unrelated fix: In match_memdup() then I added some add_dereference(left/right) calls. Problem: This codes a tangled mess and zeroing memory does not work. This code is supposed to handle three things. #1 Copying a known struct to a different struct of the same type. #2 Copying unknown data to a struct. #3 Copying a zeroed buffer to a struct. I think #1 basically works. It's hard to get #2 wrong so I think that works but probably in the wrong way. But #3 was not working. In the original code, it treated "struct = struct" as different from memcpying. Which is sort of not a bad idea, but not how it's implemented. So get rid of that. Just say COPY_NORMAL. Use COPY_UNKNOWN for #2 of an unknown buffer and COPY_ZERO for a zeroed buffer. Signed-off-by: Dan Carpenter <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch series allows to run smatch on Xen, and allows to track guest controllable variables across the Xen code base.
This pull request is based on a patch series that has been sent to the smatch mailing list in the past.