diff options
| author | Dylan Reid <dgreid@chromium.org> | 2017-06-20 10:15:51 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2017-06-27 00:20:33 -0700 |
| commit | 0584fe9fb2694fad6dc841a8215e8017c18b19c7 (patch) | |
| tree | 0180ba9aaec5211b367b2656775a82dac2fe736f /x86_64/src | |
| parent | 045c7133dd22e4cc5fe62af136c15b04a8b8a485 (diff) | |
| download | crosvm-0584fe9fb2694fad6dc841a8215e8017c18b19c7.tar crosvm-0584fe9fb2694fad6dc841a8215e8017c18b19c7.tar.gz crosvm-0584fe9fb2694fad6dc841a8215e8017c18b19c7.tar.bz2 crosvm-0584fe9fb2694fad6dc841a8215e8017c18b19c7.tar.lz crosvm-0584fe9fb2694fad6dc841a8215e8017c18b19c7.tar.xz crosvm-0584fe9fb2694fad6dc841a8215e8017c18b19c7.tar.zst crosvm-0584fe9fb2694fad6dc841a8215e8017c18b19c7.zip | |
Limit types that can be read from guest memory
Not all types are safe to read from guest memory. Any type with a reference or pointer will be initialized to random bits that don't refer to a valid address. This can cause dangling pointer and general unsafe behavior. To fix this, limit types that can be read with read_obj to those that implement the unsafe trait `DataInit`. Provide implementations of `DataInit` for intrinsic types that are obviously safe to initialize with random data. Implement the needed traits for bootparam types as they are read from the kernel image directly. Change-Id: I1040f5bc1b2fc4c58c87d8a2ce3f618edcf6f9b1 Signed-off-by: Dylan Reid <dgreid@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/540750 Reviewed-by: Zach Reizner <zachr@chromium.org>
Diffstat (limited to 'x86_64/src')
| -rw-r--r-- | x86_64/src/lib.rs | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/x86_64/src/lib.rs b/x86_64/src/lib.rs index 26de9e5..ad3ec46 100644 --- a/x86_64/src/lib.rs +++ b/x86_64/src/lib.rs @@ -3,6 +3,7 @@ // found in the LICENSE file. extern crate byteorder; +extern crate data_model; extern crate kvm; extern crate kvm_sys; extern crate libc; @@ -13,6 +14,21 @@ extern crate sys_util; #[allow(non_camel_case_types)] #[allow(non_snake_case)] mod bootparam; +// Bindgen didn't implement copy for boot_params because edid_info contains an array with len > 32. +impl Copy for bootparam::edid_info {} +impl Clone for bootparam::edid_info { + fn clone(&self) -> Self { + *self + } +} +impl Copy for bootparam::boot_params {} +impl Clone for bootparam::boot_params { + fn clone(&self) -> Self { + *self + } +} +// boot_params is just a series of ints, it is safe to initialize it. +unsafe impl data_model::DataInit for bootparam::boot_params {} #[allow(dead_code)] #[allow(non_upper_case_globals)] @@ -22,6 +38,14 @@ mod msr_index; #[allow(non_upper_case_globals)] #[allow(non_camel_case_types)] mod mpspec; +// These mpspec types are only data, reading them from data is a safe initialization. +unsafe impl data_model::DataInit for mpspec::mpc_bus {} +unsafe impl data_model::DataInit for mpspec::mpc_cpu {} +unsafe impl data_model::DataInit for mpspec::mpc_intsrc {} +unsafe impl data_model::DataInit for mpspec::mpc_ioapic {} +unsafe impl data_model::DataInit for mpspec::mpc_table {} +unsafe impl data_model::DataInit for mpspec::mpc_lintsrc {} +unsafe impl data_model::DataInit for mpspec::mpf_intel {} mod cpuid; mod gdt; |