Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unsound code patterns #359

Open
10 of 14 tasks
p4zuu opened this issue May 23, 2024 · 10 comments
Open
10 of 14 tasks

Unsound code patterns #359

p4zuu opened this issue May 23, 2024 · 10 comments

Comments

@p4zuu
Copy link
Collaborator

p4zuu commented May 23, 2024

Here are some unsound code patterns possibly remaining after @Freax13's initial issue #104.

p4zuu added a commit to p4zuu/svsm that referenced this issue May 23, 2024
Tracking the unsound code patterns with issue coconut-svsm#359, and set new owners
to Carlos López, Thomas Leroy and Tom Dohrmann.

Signed-off-by: Thomas Leroy <thomas.leroy.mp@gmail.com>
@00xc
Copy link
Member

00xc commented May 30, 2024

  • this_cpu_mut is unsound as it allows creating multiple mutable references pointing to the same location.
  • PerCpu::ghcb shouldn't give out mutable references with a static lifetime. (@00xc currently working on it)

These will be fixed by #372.

  • load_idt either needs to take a 'static reference or be unsafe. The same applies to load_tss.

The IDT part should be fixed by #366. TSS still not fixed yet.

@00xc
Copy link
Member

00xc commented Jun 19, 2024

This will actually be fixed by #387.

@Freax13
Copy link
Contributor

Freax13 commented Aug 22, 2024

  • PageTableRef doesn't have a lifetime associated with it, so there's no guarantee that the contained PageTable pointer is still live when PageTableRef::deref(_mut) dereferences the pointer.

This will be fixed by #443 (though to be fair AFAICT the original issue doesn't exist anymore anyway).

@Freax13
Copy link
Contributor

Freax13 commented Aug 29, 2024

This will be fixed by #450.

@Freax13
Copy link
Contributor

Freax13 commented Oct 7, 2024

GuestVMExit does not list all VM exit types (and I don't think this would be feasible given that AMD can decide to add new exit types in the future). We use this type in VMSA. If a guest exits with an unsupported exit type, we have UB.

@p4zuu
Copy link
Collaborator Author

p4zuu commented Oct 7, 2024

GuestVMExit does not list all VM exit types (and I don't think this would be feasible given that AMD can decide to add new exit types in the future). We use this type in VMSA. If a guest exits with an unsupported exit type, we have UB.

Good catch. If I understand the code correctly, the UB can only be triggered in RequestParams::from_vmsa(), right? If we add a check here, it would still be possible to put an undefined value in VMSA::guest_exit_code somewhere else, but at least we could catch a guest-controlled UB

@Freax13
Copy link
Contributor

Freax13 commented Oct 7, 2024

GuestVMExit does not list all VM exit types (and I don't think this would be feasible given that AMD can decide to add new exit types in the future). We use this type in VMSA. If a guest exits with an unsupported exit type, we have UB.

Good catch. If I understand the code correctly, the UB can only be triggered in RequestParams::from_vmsa(), right?

It's UB even if we don't access the value.

If we add a check here, it would still be possible to put an undefined value in VMSA::guest_exit_code somewhere else, but at least we could catch a guest-controlled UB

Can you elaborate on how this check would be implemented?

IMHO we should change GuestVMExit to be defined as pub struct GuestVMExit(u64); and add associated constants for the variants e.g. impl GuestVMExit { pub const MC: Self = Self(0x52); }. This is a fairly common compromise between wanting to have properly named variants but also having the flexibility to allow unknown values.

@p4zuu
Copy link
Collaborator Author

p4zuu commented Oct 7, 2024

IMHO we should change GuestVMExit to be defined as pub struct GuestVMExit(u64); and add associated constants for the variants e.g. impl GuestVMExit { pub const MC: Self = Self(0x52); }. This is a fairly common compromise between wanting to have properly named variants but also having the flexibility to allow unknown values.

Yes you're right. It looks easier to handle unknown values, and allow room for the new exit codes.

@p4zuu
Copy link
Collaborator Author

p4zuu commented Oct 8, 2024

IMHO we should change GuestVMExit to be defined as pub struct GuestVMExit(u64); and add associated constants for the variants e.g. impl GuestVMExit { pub const MC: Self = Self(0x52); }. This is a fairly common compromise between wanting to have properly named variants but also having the flexibility to allow unknown values.

Do you plan working on implementing this? I can take it if you want

@Freax13
Copy link
Contributor

Freax13 commented Oct 8, 2024

IMHO we should change GuestVMExit to be defined as pub struct GuestVMExit(u64); and add associated constants for the variants e.g. impl GuestVMExit { pub const MC: Self = Self(0x52); }. This is a fairly common compromise between wanting to have properly named variants but also having the flexibility to allow unknown values.

Do you plan working on implementing this? I can take it if you want

Feel free, I'm already quite busy.

p4zuu added a commit to p4zuu/svsm that referenced this issue Oct 10, 2024
Previously, it was possible for a guest to exit with an exit code
undefined in the GuestVMExit enum, leading to undefined behavior.

As suggested by @Freax13 in coconut-svsm#359, we can replace this by a tuple struct,
allowing unknown values.

Signed-off-by: Thomas Leroy <thomas.leroy@suse.com>
p4zuu added a commit to p4zuu/svsm that referenced this issue Oct 10, 2024
Previously, it was possible for a guest to exit with an exit code
undefined in the GuestVMExit enum, leading to undefined behavior.

As suggested by @Freax13 in coconut-svsm#359, we can replace this by a tuple struct,
allowing unknown values.

Signed-off-by: Thomas Leroy <thomas.leroy@suse.com>
p4zuu added a commit to p4zuu/svsm that referenced this issue Oct 10, 2024
Previously, it was possible for a guest to exit with an exit code
undefined in the GuestVMExit enum, leading to undefined behavior.

As suggested by @Freax13 in coconut-svsm#359, we can replace this by a tuple struct,
allowing unknown values.

Signed-off-by: Thomas Leroy <thomas.leroy@suse.com>
p4zuu added a commit to p4zuu/svsm that referenced this issue Oct 15, 2024
Previously, it was possible for a guest to exit with an exit code
undefined in the GuestVMExit enum, leading to undefined behavior.

As suggested by @Freax13 in coconut-svsm#359, we can replace this by a tuple struct,
allowing unknown values.

Signed-off-by: Thomas Leroy <thomas.leroy@suse.com>
p4zuu added a commit to p4zuu/svsm that referenced this issue Dec 3, 2024
As advised by @Freax13 in coconut-svsm#359, if misused, zero_mem_region() can corrupt valid
memory by writing zeroes to it. Therefore, it should be unsafe so that callers
verfies that it points to the intended memory.

Signed-off-by: Thomas Leroy <thomas.leroy@suse.com>
p4zuu added a commit to p4zuu/svsm that referenced this issue Dec 4, 2024
As advised by @Freax13 in coconut-svsm#359, if misused, zero_mem_region() can corrupt valid
memory by writing zeroes to it. Therefore, it should be unsafe so that callers
verfies that it points to the intended memory.

Signed-off-by: Thomas Leroy <thomas.leroy@suse.com>
p4zuu added a commit to p4zuu/svsm that referenced this issue Dec 6, 2024
As advised by @Freax13 in coconut-svsm#359, if misused, zero_mem_region() can corrupt valid
memory by writing zeroes to it. Therefore, it should be unsafe so that callers
verfies that it points to the intended memory.

Signed-off-by: Thomas Leroy <thomas.leroy@suse.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants