branch xen-unstable xen branch xen-unstable job build-armhf test xen-build Tree: qemuu git://xenbits.xen.org/staging/qemu-upstream-unstable.git Tree: xen git://xenbits.xen.org/xen.git *** Found and reproduced problem changeset *** Bug is in tree: xen git://xenbits.xen.org/xen.git Bug introduced: 54353cae096c19f176417f6d425de0a0f8a71228 Bug not present: cafdceb66e154f1ac204be935f9030959827bd1f commit 54353cae096c19f176417f6d425de0a0f8a71228 Author: Julien Grall <julien.grall@linaro.org> Date: Thu May 23 16:05:18 2013 +0100 xen/arm: check string format for early_printk Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com> For bisection revision-tuple graph see: http://www.chiark.greenend.org.uk/~xensrcts/results/bisect.xen-unstable.build-armhf.xen-build.html Revision IDs in each graph node refer, respectively, to the Trees above. ---------------------------------------- Searching for failure / basis pass: 18035 fail [host=army] / 18033 ok. Failure / basis pass flights: 18035 / 18033 Tree: qemuu git://xenbits.xen.org/staging/qemu-upstream-unstable.git Tree: xen git://xenbits.xen.org/xen.git Latest e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 1adef1732f67b4039170210bb2e67c64c9dabd4c Basis pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 41abbadef60e5fccdfd688579dd458f7f7887cf5 Generating revisions with ./adhoc-revtuple-generator git://xenbits.xen.org/staging/qemu-upstream-unstable.git#e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44-e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 git://xenbits.xen.org/xen.git#41abbadef60e5fccdfd688579dd458f7f7887cf5-1adef1732f67b4039170210bb2e67c64c9dabd4c using cache /export/home/osstest/repos/git-cache... using cache /export/home/osstest/repos/git-cache... locked cache /export/home/osstest/repos/git-cache... processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git /export/home/osstest/repos/xen... Initialized empty Git repository in /export/home/osstest/repos/xen/ updating cache /export/home/osstest/repos/git-cache xen... using cache /export/home/osstest/repos/git-cache... using cache /export/home/osstest/repos/git-cache... locked cache /export/home/osstest/repos/git-cache... processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git /export/home/osstest/repos/xen... Initialized empty Git repository in /export/home/osstest/repos/xen/ updating cache /export/home/osstest/repos/git-cache xen... Loaded 1001 nodes in revision graph Searching for test results: 18039 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 74025300d55262155a3bdafddf257d82dcf0f6af 18040 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 cafdceb66e154f1ac204be935f9030959827bd1f 18041 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 b68346247f74e002ef180403167888a03f488080 18042 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 54353cae096c19f176417f6d425de0a0f8a71228 18043 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 cafdceb66e154f1ac204be935f9030959827bd1f 18044 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 54353cae096c19f176417f6d425de0a0f8a71228 18045 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 cafdceb66e154f1ac204be935f9030959827bd1f 18046 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 54353cae096c19f176417f6d425de0a0f8a71228 18032 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 41abbadef60e5fccdfd688579dd458f7f7887cf5 18033 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 41abbadef60e5fccdfd688579dd458f7f7887cf5 18035 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 1adef1732f67b4039170210bb2e67c64c9dabd4c 18036 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 41abbadef60e5fccdfd688579dd458f7f7887cf5 18038 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 1adef1732f67b4039170210bb2e67c64c9dabd4c Searching for interesting versions Result found: flight 18032 (pass), for basis pass Result found: flight 18035 (fail), for basis failure Repro found: flight 18036 (pass), for basis pass Repro found: flight 18038 (fail), for basis failure 0 revisions at e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 cafdceb66e154f1ac204be935f9030959827bd1f No revisions left to test, checking graph state. Result found: flight 18040 (pass), for last pass Result found: flight 18042 (fail), for first failure Repro found: flight 18043 (pass), for last pass Repro found: flight 18044 (fail), for first failure Repro found: flight 18045 (pass), for last pass Repro found: flight 18046 (fail), for first failure *** Found and reproduced problem changeset *** Bug is in tree: xen git://xenbits.xen.org/xen.git Bug introduced: 54353cae096c19f176417f6d425de0a0f8a71228 Bug not present: cafdceb66e154f1ac204be935f9030959827bd1f using cache /export/home/osstest/repos/git-cache... using cache /export/home/osstest/repos/git-cache... locked cache /export/home/osstest/repos/git-cache... processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git /export/home/osstest/repos/xen... Initialized empty Git repository in /export/home/osstest/repos/xen/ updating cache /export/home/osstest/repos/git-cache xen... commit 54353cae096c19f176417f6d425de0a0f8a71228 Author: Julien Grall <julien.grall@linaro.org> Date: Thu May 23 16:05:18 2013 +0100 xen/arm: check string format for early_printk Signed-off-by: Julien Grall <julien.grall@linaro.org> Acked-by: Ian Campbell <ian.campbell@citrix.com> Revision graph left in /home/xc_osstest/results/bisect.xen-unstable.build-armhf.xen-build.{dot,ps,png,html}. ---------------------------------------- 18046: tolerable ALL FAIL flight 18046 xen-unstable real-bisect [real] http://www.chiark.greenend.org.uk/~xensrcts/logs/18046/ Failures :-/ but no regressions. Tests which did not succeed, including tests which could not be run: build-armhf 4 xen-build fail baseline untested jobs: build-armhf fail ------------------------------------------------------------ sg-report-flight on woking.cam.xci-test.com logs: /home/xc_osstest/logs images: /home/xc_osstest/images Logs, config files, etc. are available at http://www.chiark.greenend.org.uk/~xensrcts/logs Test harness code can be found at http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary
Hello, I''m sorry for this compilation breakage :/. I have either an incremental fix: diff --git a/xen/include/asm-arm/early_printk.h b/xen/include/asm-arm/early_printk.h index 03ead23..5f7c529 100644 --- a/xen/include/asm-arm/early_printk.h +++ b/xen/include/asm-arm/early_printk.h @@ -21,11 +21,12 @@ void early_panic(const char *fmt, ...) __attribute__((noreturn)) #else -static inline void early_printk(const char *fmt, ...) - __attribute__((format (printf, 1, 2))) +static inline __attribute__((format (printf, 1, 2))) void +early_printk(const char *fmt, ...) {} -static inline void __attribute__((noreturn)) early_panic(const char *fmt, ...) - __attribute__((format (printf, 1, 2))) + +static inline void __attribute__((noreturn)) +__attribute__((format (printf, 1, 2))) early_panic(const char *fmt, ...) {while(1);} #endif ------------------------------- or the patch rewritten: diff --git a/xen/include/asm-arm/early_printk.h b/xen/include/asm-arm/early_printk.h index b72fce7..5f7c529 100644 --- a/xen/include/asm-arm/early_printk.h +++ b/xen/include/asm-arm/early_printk.h @@ -14,13 +14,20 @@ #ifdef EARLY_PRINTK -void early_printk(const char *fmt, ...); -void early_panic(const char *fmt, ...) __attribute__((noreturn)); +void early_printk(const char *fmt, ...) + __attribute__((format (printf, 1, 2))); +void early_panic(const char *fmt, ...) __attribute__((noreturn)) + __attribute__((format (printf, 1, 2))); #else -static inline void early_printk(const char *fmt, ...) {} -static inline void __attribute__((noreturn)) early_panic(const char *fmt, ...) {while(1);} +static inline __attribute__((format (printf, 1, 2))) void +early_printk(const char *fmt, ...) +{} + +static inline void __attribute__((noreturn)) +__attribute__((format (printf, 1, 2))) early_panic(const char *fmt, ...) +{while(1);} #endif ------------------------------- Cheers, Julien On 05/30/2013 08:59 PM, xen.org wrote:> branch xen-unstable > xen branch xen-unstable > job build-armhf > test xen-build > > Tree: qemuu git://xenbits.xen.org/staging/qemu-upstream-unstable.git > Tree: xen git://xenbits.xen.org/xen.git > > *** Found and reproduced problem changeset *** > > Bug is in tree: xen git://xenbits.xen.org/xen.git > Bug introduced: 54353cae096c19f176417f6d425de0a0f8a71228 > Bug not present: cafdceb66e154f1ac204be935f9030959827bd1f > > > commit 54353cae096c19f176417f6d425de0a0f8a71228 > Author: Julien Grall <julien.grall@linaro.org> > Date: Thu May 23 16:05:18 2013 +0100 > > xen/arm: check string format for early_printk > > Signed-off-by: Julien Grall <julien.grall@linaro.org> > Acked-by: Ian Campbell <ian.campbell@citrix.com> > > > For bisection revision-tuple graph see: > http://www.chiark.greenend.org.uk/~xensrcts/results/bisect.xen-unstable.build-armhf.xen-build.html > Revision IDs in each graph node refer, respectively, to the Trees above. > > ---------------------------------------- > Searching for failure / basis pass: > 18035 fail [host=army] / 18033 ok. > Failure / basis pass flights: 18035 / 18033 > Tree: qemuu git://xenbits.xen.org/staging/qemu-upstream-unstable.git > Tree: xen git://xenbits.xen.org/xen.git > Latest e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 1adef1732f67b4039170210bb2e67c64c9dabd4c > Basis pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 41abbadef60e5fccdfd688579dd458f7f7887cf5 > Generating revisions with ./adhoc-revtuple-generator git://xenbits.xen.org/staging/qemu-upstream-unstable.git#e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44-e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 git://xenbits.xen.org/xen.git#41abbadef60e5fccdfd688579dd458f7f7887cf5-1adef1732f67b4039170210bb2e67c64c9dabd4c > using cache /export/home/osstest/repos/git-cache... > using cache /export/home/osstest/repos/git-cache... > locked cache /export/home/osstest/repos/git-cache... > processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git /export/home/osstest/repos/xen... > Initialized empty Git repository in /export/home/osstest/repos/xen/ > updating cache /export/home/osstest/repos/git-cache xen... > using cache /export/home/osstest/repos/git-cache... > using cache /export/home/osstest/repos/git-cache... > locked cache /export/home/osstest/repos/git-cache... > processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git /export/home/osstest/repos/xen... > Initialized empty Git repository in /export/home/osstest/repos/xen/ > updating cache /export/home/osstest/repos/git-cache xen... > Loaded 1001 nodes in revision graph > Searching for test results: > 18039 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 74025300d55262155a3bdafddf257d82dcf0f6af > 18040 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 cafdceb66e154f1ac204be935f9030959827bd1f > 18041 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 b68346247f74e002ef180403167888a03f488080 > 18042 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 54353cae096c19f176417f6d425de0a0f8a71228 > 18043 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 cafdceb66e154f1ac204be935f9030959827bd1f > 18044 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 54353cae096c19f176417f6d425de0a0f8a71228 > 18045 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 cafdceb66e154f1ac204be935f9030959827bd1f > 18046 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 54353cae096c19f176417f6d425de0a0f8a71228 > 18032 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 41abbadef60e5fccdfd688579dd458f7f7887cf5 > 18033 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 41abbadef60e5fccdfd688579dd458f7f7887cf5 > 18035 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 1adef1732f67b4039170210bb2e67c64c9dabd4c > 18036 pass e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 41abbadef60e5fccdfd688579dd458f7f7887cf5 > 18038 fail e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 1adef1732f67b4039170210bb2e67c64c9dabd4c > Searching for interesting versions > Result found: flight 18032 (pass), for basis pass > Result found: flight 18035 (fail), for basis failure > Repro found: flight 18036 (pass), for basis pass > Repro found: flight 18038 (fail), for basis failure > 0 revisions at e2155ddd22fe4378030cbbdbbb089a6fa2f3ad44 cafdceb66e154f1ac204be935f9030959827bd1f > No revisions left to test, checking graph state. > Result found: flight 18040 (pass), for last pass > Result found: flight 18042 (fail), for first failure > Repro found: flight 18043 (pass), for last pass > Repro found: flight 18044 (fail), for first failure > Repro found: flight 18045 (pass), for last pass > Repro found: flight 18046 (fail), for first failure > > *** Found and reproduced problem changeset *** > > Bug is in tree: xen git://xenbits.xen.org/xen.git > Bug introduced: 54353cae096c19f176417f6d425de0a0f8a71228 > Bug not present: cafdceb66e154f1ac204be935f9030959827bd1f > > using cache /export/home/osstest/repos/git-cache... > using cache /export/home/osstest/repos/git-cache... > locked cache /export/home/osstest/repos/git-cache... > processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git /export/home/osstest/repos/xen... > Initialized empty Git repository in /export/home/osstest/repos/xen/ > updating cache /export/home/osstest/repos/git-cache xen... > > commit 54353cae096c19f176417f6d425de0a0f8a71228 > Author: Julien Grall <julien.grall@linaro.org> > Date: Thu May 23 16:05:18 2013 +0100 > > xen/arm: check string format for early_printk > > Signed-off-by: Julien Grall <julien.grall@linaro.org> > Acked-by: Ian Campbell <ian.campbell@citrix.com> > > Revision graph left in /home/xc_osstest/results/bisect.xen-unstable.build-armhf.xen-build.{dot,ps,png,html}. > ---------------------------------------- > 18046: tolerable ALL FAIL > > flight 18046 xen-unstable real-bisect [real] > http://www.chiark.greenend.org.uk/~xensrcts/logs/18046/ > > Failures :-/ but no regressions. > > Tests which did not succeed, > including tests which could not be run: > build-armhf 4 xen-build fail baseline untested > > > jobs: > build-armhf fail > > > ------------------------------------------------------------ > sg-report-flight on woking.cam.xci-test.com > logs: /home/xc_osstest/logs > images: /home/xc_osstest/images > > Logs, config files, etc. are available at > http://www.chiark.greenend.org.uk/~xensrcts/logs > > Test harness code can be found at > http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel
On Thu, 2013-05-30 at 21:23 +0100, Julien Grall wrote:> Hello, > > I''m sorry for this compilation breakage :/.I somehow missed this in my build test as well :-/> I have either an incremental fix:Which I have applied, thanks. Ian.
branch xen-unstable xen branch xen-unstable job build-armhf test xen-build Tree: qemuu git://xenbits.xen.org/staging/qemu-upstream-unstable.git Tree: xen git://xenbits.xen.org/xen.git *** Found and reproduced problem changeset *** Bug is in tree: xen git://xenbits.xen.org/xen.git Bug introduced: 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 Bug not present: 04877847ade4ac9216e9f408fd544ade8f90cf9a commit 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 Author: Ian Jackson <ian.jackson@eu.citrix.com> Date: Fri Jun 14 16:39:36 2013 +0100 libelf: check all pointer accesses We change the ELF_PTRVAL and ELF_HANDLE types and associated macros: * PTRVAL becomes a uintptr_t, for which we provide a typedef elf_ptrval. This means no arithmetic done on it can overflow so the compiler cannot do any malicious invalid pointer arithmetic "optimisations". It also means that any places where we dereference one of these pointers without using the appropriate macros or functions become a compilation error. So we can be sure that we won''t miss any memory accesses. All the PTRVAL variables were previously void* or char*, so the actual address calculations are unchanged. * ELF_HANDLE becomes a union, one half of which keeps the pointer value and the other half of which is just there to record the type. The new type is not a pointer type so there can be no address calculations on it whose meaning would change. Every assignment or access has to go through one of our macros. * The distinction between const and non-const pointers and char*s and void*s in libelf goes away. This was not important (and anyway libelf tended to cast away const in various places). * The fields elf->image and elf->dest are renamed. That proves that we haven''t missed any unchecked uses of these actual pointer values. * The caller may fill in elf->caller_xdest_base and _size to specify another range of memory which is safe for libelf to access, besides the input and output images. * When accesses fail due to being out of range, we mark the elf "broken". This will be checked and used for diagnostics in a following patch. We do not check for write accesses to the input image. This is because libelf actually does this in a number of places. So we simply permit that. * Each caller of libelf which used to set dest now sets dest_base and dest_size. * In xc_dom_load_elf_symtab we provide a new actual-pointer value hdr_ptr which we get from mapping the guest''s kernel area and use (checking carefully) as the caller_xdest area. * The STAR(h) macro in libelf-dominfo.c now uses elf_access_unsigned. * elf-init uses the new elf_uval_3264 accessor to access the 32-bit fields, rather than an unchecked field access (ie, unchecked pointer access). * elf_uval has been reworked to use elf_uval_3264. Both of these macros are essentially new in this patch (although they are derived from the old elf_uval) and need careful review. * ELF_ADVANCE_DEST is now safe in the sense that you can use it to chop parts off the front of the dest area but if you chop more than is available, the dest area is simply set to be empty, preventing future accesses. * We introduce some #defines for memcpy, memset, memmove and strcpy: - We provide elf_memcpy_safe and elf_memset_safe which take PTRVALs and do checking on the supplied pointers. - Users inside libelf must all be changed to either elf_mem*_unchecked (which are just like mem*), or elf_mem*_safe (which take PTRVALs) and are checked. Any unchanged call sites become compilation errors. * We do _not_ at this time fix elf_access_unsigned so that it doesn''t make unaligned accesses. We hope that unaligned accesses are OK on every supported architecture. But it does check the supplied pointer for validity. This is part of the fix to a security issue, XSA-55. Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> v7: Remove a spurious whitespace change. v5: Use allow_size value from xc_dom_vaddr_to_ptr to set xdest_size correctly. If ELF_ADVANCE_DEST advances past the end, mark the elf broken. Always regard NULL allowable region pointers (e.g. dest_base) as invalid (since NULL pointers don''t point anywhere). v4: Fix ELF_UNSAFE_PTR to work on 32-bit even when provided 64-bit values. Fix xc_dom_load_elf_symtab not to call XC_DOM_PAGE_SIZE unnecessarily if load is false. This was a regression. v3.1: Introduce a change to elf_store_field to undo the effects of the v3.1 change to the previous patch (the definition there is not compatible with the new types). v3: Fix a whitespace error. v2 was Acked-by: Ian Campbell <ian.campbell@citrix.com> v2: BUGFIX: elf_strval: Fix loop termination condition to actually work. BUGFIX: elf_strval: Fix return value to not always be totally wild. BUGFIX: xc_dom_load_elf_symtab: do proper check for small header size. xc_dom_load_elf_symtab: narrow scope of `hdr_ptr''. xc_dom_load_elf_symtab: split out uninit''d symtab.class ref fix. More comments on the lifetime/validity of elf-> dest ptrs etc. libelf.h: write "obsolete" out in full libelf.h: rename "dontuse" to "typeonly" and add doc comment elf_ptrval_in_range: Document trustedness of arguments. Style and commit message fixes. For bisection revision-tuple graph see: http://www.chiark.greenend.org.uk/~xensrcts/results/bisect.xen-unstable.build-armhf.xen-build.html Revision IDs in each graph node refer, respectively, to the Trees above. ---------------------------------------- Searching for failure / basis pass: 18125 fail [host=army] / 18114 ok. Failure / basis pass flights: 18125 / 18114 Tree: qemuu git://xenbits.xen.org/staging/qemu-upstream-unstable.git Tree: xen git://xenbits.xen.org/xen.git Latest 79c097d5fe7cb0b4788ed509240cde7e210650bf 82cb4113b6ace16de192021de20f6cbd991e478f Basis pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 2caac1caa19bdaeb9ab14b2baf1342e00c4d0495 Generating revisions with ./adhoc-revtuple-generator git://xenbits.xen.org/staging/qemu-upstream-unstable.git#79c097d5fe7cb0b4788ed509240cde7e210650bf-79c097d5fe7cb0b4788ed509240cde7e210650bf git://xenbits.xen.org/xen.git#2caac1caa19bdaeb9ab14b2baf1342e00c4d0495-82cb4113b6ace16de192021de20f6cbd991e478f using cache /export/home/osstest/repos/git-cache... using cache /export/home/osstest/repos/git-cache... locked cache /export/home/osstest/repos/git-cache... processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git /export/home/osstest/repos/xen... Initialized empty Git repository in /export/home/osstest/repos/xen/ updating cache /export/home/osstest/repos/git-cache xen... using cache /export/home/osstest/repos/git-cache... using cache /export/home/osstest/repos/git-cache... locked cache /export/home/osstest/repos/git-cache... processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git /export/home/osstest/repos/xen... Initialized empty Git repository in /export/home/osstest/repos/xen/ updating cache /export/home/osstest/repos/git-cache xen... Loaded 1001 nodes in revision graph Searching for test results: 18113 pass irrelevant 18114 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 2caac1caa19bdaeb9ab14b2baf1342e00c4d0495 18125 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 82cb4113b6ace16de192021de20f6cbd991e478f 18129 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 2caac1caa19bdaeb9ab14b2baf1342e00c4d0495 18130 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 82cb4113b6ace16de192021de20f6cbd991e478f 18131 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 18132 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 13e2c808f7ea721c8f200062e2b9b977ee924471 18133 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 85256359995587df00001dca22e9a76ba6ea8258 18134 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 50421bd56bf164f490d7d0bf5741e58936de41e8 18135 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 04877847ade4ac9216e9f408fd544ade8f90cf9a 18136 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 18137 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 04877847ade4ac9216e9f408fd544ade8f90cf9a 18138 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 18139 pass 79c097d5fe7cb0b4788ed509240cde7e210650bf 04877847ade4ac9216e9f408fd544ade8f90cf9a 18140 fail 79c097d5fe7cb0b4788ed509240cde7e210650bf 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 Searching for interesting versions Result found: flight 18114 (pass), for basis pass Result found: flight 18125 (fail), for basis failure Repro found: flight 18129 (pass), for basis pass Repro found: flight 18130 (fail), for basis failure 0 revisions at 79c097d5fe7cb0b4788ed509240cde7e210650bf 04877847ade4ac9216e9f408fd544ade8f90cf9a No revisions left to test, checking graph state. Result found: flight 18135 (pass), for last pass Result found: flight 18136 (fail), for first failure Repro found: flight 18137 (pass), for last pass Repro found: flight 18138 (fail), for first failure Repro found: flight 18139 (pass), for last pass Repro found: flight 18140 (fail), for first failure *** Found and reproduced problem changeset *** Bug is in tree: xen git://xenbits.xen.org/xen.git Bug introduced: 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 Bug not present: 04877847ade4ac9216e9f408fd544ade8f90cf9a using cache /export/home/osstest/repos/git-cache... using cache /export/home/osstest/repos/git-cache... locked cache /export/home/osstest/repos/git-cache... processing ./cacheing-git clone --bare git://xenbits.xen.org/xen.git /export/home/osstest/repos/xen... Initialized empty Git repository in /export/home/osstest/repos/xen/ updating cache /export/home/osstest/repos/git-cache xen... commit 65808a8ed41cc7c044f588bd6cab5af0fdc0e029 Author: Ian Jackson <ian.jackson@eu.citrix.com> Date: Fri Jun 14 16:39:36 2013 +0100 libelf: check all pointer accesses We change the ELF_PTRVAL and ELF_HANDLE types and associated macros: * PTRVAL becomes a uintptr_t, for which we provide a typedef elf_ptrval. This means no arithmetic done on it can overflow so the compiler cannot do any malicious invalid pointer arithmetic "optimisations". It also means that any places where we dereference one of these pointers without using the appropriate macros or functions become a compilation error. So we can be sure that we won''t miss any memory accesses. All the PTRVAL variables were previously void* or char*, so the actual address calculations are unchanged. * ELF_HANDLE becomes a union, one half of which keeps the pointer value and the other half of which is just there to record the type. The new type is not a pointer type so there can be no address calculations on it whose meaning would change. Every assignment or access has to go through one of our macros. * The distinction between const and non-const pointers and char*s and void*s in libelf goes away. This was not important (and anyway libelf tended to cast away const in various places). * The fields elf->image and elf->dest are renamed. That proves that we haven''t missed any unchecked uses of these actual pointer values. * The caller may fill in elf->caller_xdest_base and _size to specify another range of memory which is safe for libelf to access, besides the input and output images. * When accesses fail due to being out of range, we mark the elf "broken". This will be checked and used for diagnostics in a following patch. We do not check for write accesses to the input image. This is because libelf actually does this in a number of places. So we simply permit that. * Each caller of libelf which used to set dest now sets dest_base and dest_size. * In xc_dom_load_elf_symtab we provide a new actual-pointer value hdr_ptr which we get from mapping the guest''s kernel area and use (checking carefully) as the caller_xdest area. * The STAR(h) macro in libelf-dominfo.c now uses elf_access_unsigned. * elf-init uses the new elf_uval_3264 accessor to access the 32-bit fields, rather than an unchecked field access (ie, unchecked pointer access). * elf_uval has been reworked to use elf_uval_3264. Both of these macros are essentially new in this patch (although they are derived from the old elf_uval) and need careful review. * ELF_ADVANCE_DEST is now safe in the sense that you can use it to chop parts off the front of the dest area but if you chop more than is available, the dest area is simply set to be empty, preventing future accesses. * We introduce some #defines for memcpy, memset, memmove and strcpy: - We provide elf_memcpy_safe and elf_memset_safe which take PTRVALs and do checking on the supplied pointers. - Users inside libelf must all be changed to either elf_mem*_unchecked (which are just like mem*), or elf_mem*_safe (which take PTRVALs) and are checked. Any unchanged call sites become compilation errors. * We do _not_ at this time fix elf_access_unsigned so that it doesn''t make unaligned accesses. We hope that unaligned accesses are OK on every supported architecture. But it does check the supplied pointer for validity. This is part of the fix to a security issue, XSA-55. Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> v7: Remove a spurious whitespace change. v5: Use allow_size value from xc_dom_vaddr_to_ptr to set xdest_size correctly. If ELF_ADVANCE_DEST advances past the end, mark the elf broken. Always regard NULL allowable region pointers (e.g. dest_base) as invalid (since NULL pointers don''t point anywhere). v4: Fix ELF_UNSAFE_PTR to work on 32-bit even when provided 64-bit values. Fix xc_dom_load_elf_symtab not to call XC_DOM_PAGE_SIZE unnecessarily if load is false. This was a regression. v3.1: Introduce a change to elf_store_field to undo the effects of the v3.1 change to the previous patch (the definition there is not compatible with the new types). v3: Fix a whitespace error. v2 was Acked-by: Ian Campbell <ian.campbell@citrix.com> v2: BUGFIX: elf_strval: Fix loop termination condition to actually work. BUGFIX: elf_strval: Fix return value to not always be totally wild. BUGFIX: xc_dom_load_elf_symtab: do proper check for small header size. xc_dom_load_elf_symtab: narrow scope of `hdr_ptr''. xc_dom_load_elf_symtab: split out uninit''d symtab.class ref fix. More comments on the lifetime/validity of elf-> dest ptrs etc. libelf.h: write "obsolete" out in full libelf.h: rename "dontuse" to "typeonly" and add doc comment elf_ptrval_in_range: Document trustedness of arguments. Style and commit message fixes. Revision graph left in /home/xc_osstest/results/bisect.xen-unstable.build-armhf.xen-build.{dot,ps,png,html}. ---------------------------------------- 18140: tolerable ALL FAIL flight 18140 xen-unstable real-bisect [real] http://www.chiark.greenend.org.uk/~xensrcts/logs/18140/ Failures :-/ but no regressions. Tests which did not succeed, including tests which could not be run: build-armhf 4 xen-build fail baseline untested jobs: build-armhf fail ------------------------------------------------------------ sg-report-flight on woking.cam.xci-test.com logs: /home/xc_osstest/logs images: /home/xc_osstest/images Logs, config files, etc. are available at http://www.chiark.greenend.org.uk/~xensrcts/logs Test harness code can be found at http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary