Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Xen GitHub #2

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Xen GitHub #2

wants to merge 16 commits into from

Conversation

nmanthey
Copy link

This patch series allows to run smatch on Xen, and allows to track guest controllable variables across the Xen code base.

This pull request is based on a patch series that has been sent to the smatch mailing list in the past.

nmanthey added 16 commits May 18, 2021 16:43
To get more out of the analysis, increase some buffers and limits.

Signed-off-by: Norbert Manthey <[email protected]>
Cleanup all files that have been created.

Signed-off-by: Norbert Manthey <[email protected]>
Instead of cutting gadgets off, report the information that would
have been used to cut them off.

Signed-off-by: Norbert Manthey <[email protected]>
This method is used to be able to decide whether a function name
matched the "do_" ... "_op" structure of some Xen hypercalls.

Signed-off-by: Norbert Manthey <[email protected]>
In case a function name matches the structure of a Xen hypercall,
match it, and treat it as a kernel syscall.

Currently, possible hypercalls are identified via string patterns,
starting with "do_" or "hvm_" or "arch_", and ending with "_op",
"_op_compat" or "_op_compat32", respectively.

Signed-off-by: Norbert Manthey <[email protected]>
Add functions that access guest data, and teach smatch about the
parameter that points to the user data. As there are multiple
flavors, try to be exhaustive.

Signed-off-by: Norbert Manthey <[email protected]>
The second argument of hypercalls is user controlled. Hence, register
these functions as source of user data.

Signed-off-by: Norbert Manthey <[email protected]>
During instruction emulation, data from the guest context is brought
into the hypervisor context in several ways. Teach smatch about these
functions, so that the data can be tracked.

Signed-off-by: Norbert Manthey <[email protected]>
During emulation, we might read from user registers. As those are
controlled by the guest, also track them during taint analysis.

Signed-off-by: Norbert Manthey <[email protected]>
Make sure we use the copy_from_guest function everywhere we use
copy_from_user, to get the same filtering functionality.

Signed-off-by: Norbert Manthey <[email protected]>
Similarly to the kernel, add a script that analyzes Xen. This script
uses one-line-scan to wrap smatch in the build process. The script is
taken from the test_kernel script.

Different version of Xen might be built with different compilers.
Therefore, we allow to specify the environment variable
SMATCH_ONE_LINE_SCAN_ARSG, which can be used to forward command line
parameters to one-line-scan, for example compiler prefix or suffix.

Signed-off-by: Norbert Manthey <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
This script is taken from the script for the kernel. The project
name is kept as "kernel", as this project name enables many
analysis techniques in smatch.

The major difference is that the test_xen.sh script is called,
instead of the test_kernel.sh script.

Signed-off-by: Norbert Manthey <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Similarly to copy_from_user, we want to make sure that smatch keeps the
copy_from_guest feature working in the future.

Signed-off-by: Norbert Manthey <[email protected]>
For special kernel builds, we are interested in parameterizing the
build command, e.g. to specify different values for CC or HOSTCC.
To allow this, adapt the script to consume such a variable.

Signed-off-by: Norbert Manthey <[email protected]>
This script can be used to detect all candidates for speculative leak
gadgets. This script only takes care of building the hypervisor with the
smatch tool support. As long as new defect candidates are detected, the
script will continue. Furthermore, an upper bound is set to stop the
detection at some point. Note, smatch is tracking state locally, and
miproves its results when being executed multiple times in a row.

To detect newly introduced defects, this tool should be used on the old
change and the new change, so that the differences in the output can be
compared. Due to the time based behavior of smatch, there might be
differences in the output that are not caused by code changes.

Signed-off-by: Norbert Manthey <[email protected]>
error27 pushed a commit that referenced this pull request Apr 21, 2022
Unrelated fix: In match_memdup() then I added some add_dereference(left/right)
calls.

Problem: This codes a tangled mess and zeroing memory does not work.

This code is supposed to handle three things.  #1 Copying a known struct
to a different struct of the same type.  #2 Copying unknown data to a
struct.  #3 Copying a zeroed buffer to a struct.

I think #1 basically works.  It's hard to get #2 wrong so I think that
works but probably in the wrong way.  But #3 was not working.

In the original code, it treated "struct = struct" as different from
memcpying.  Which is sort of not a bad idea, but not how it's implemented.
So get rid of that.  Just say COPY_NORMAL.  Use COPY_UNKNOWN for #2 of
an unknown buffer and COPY_ZERO for a zeroed buffer.

Signed-off-by: Dan Carpenter <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant