-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unsound code patterns #104
Comments
You are right, there are several C-isms still in the code from the early days of the SVSM, when I was still starting my Rust learning journey 😊 So for the whole console code the solution will be to simplify it once the VC handler is merged. Then we can remove all the logic that makes it need a link to the GHCB. The page-table code needs a general cleanup, that will happen along with the virtual memory manager changes and conversion work. For now it is safe because all page-tables are static, but with modules/processes this will change. If you see any other place that could be improved I am open for PRs or discussussions in this issue. There are several areas for cleanup I have in mind, too. One is, e.g., changing stage2 to not need the PerCpu implementation, which allows further simplifications in PerCpu code. But there are certainly more places. |
I might be able to take a shot at some of the issues over the weekend.
In that case it's probably a good idea to open issues to track these future tasks :) |
Continued list of issues:
Other than these safety violations, there is a lot of unsafe code in general and a lot of it is not very contained. Some of that's unavoidable given the nature of low level kernel code, but my guess is that this can be improved. |
Yeah this is definitely wrong. Opened #117 for this. |
These are fine in my opinion, as invalid accesses are properly recovered from via the exception table. I sort of mentioned this in the commit message for 0955d4e ( |
Exceptions are not the only concern though, there are plenty of ways to cause havoc by writing to writable pages. For example these functions could be used to bypass the borrow checker or corrupt return pointers on the stack. |
I suggest opening a new issue with the remaining points and keep track of the to-be-fixed places in a checklist in the first comment of the issue. This way we can track more easily what remains to be fixed. |
Sounds good to me. Chances are that the issues listed here are out of date anyway. Currently, I don't have the time to do this but feel free to do so. If everything goes well, I'll have more time to contribute in about two months. |
I have some time to spend atm, I'll take this and investigate the possible still-alive unsound issues. @Freax13 feel free to jump in when you have free time :) |
Some updates:
I'm working on having borrow checking for the GHCB at the moment.
Will be fixed by #348.
Outdated |
If you're up for it, could you assign yourself in the development document? You can add me as well, as I'm already working on a couple of the points above. |
I created #359 to track the remaining unsound patterns. The list still needs a bit of triage, we can discuss it in the issue. We could also maybe add a "Tracking" label to the new issue (or similar name) if we plan to append the new found patterns to the same list. |
This codebase unfortunately uses code patterns that are unsound. A few examples (not exhaustive):
svsm/src/sev/ghcb.rs
Lines 490 to 508 in 739fa7f
GHCBIOPort
should not implementSync
as it is not safe to share the containedRefCell
across threads.svsm/src/console.rs
Lines 13 to 38 in 739fa7f
Console::write_str
creates a reference to the point set inConsole::set
without making sure that the pointer is dereferencable.svsm/src/mm/pagetable.rs
Lines 710 to 747 in 739fa7f
PageTableRef
doesn't have a lifetime associated with it, so there's no guarantee that the containedPageTable
pointer is still live whenPageTableRef::deref(_mut)
dereferences the pointer.The text was updated successfully, but these errors were encountered: