Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / f2a6e44590c7d36876ad28d67073852dbdffe43f
commitf2a6e44590c7d36876ad28d67073852dbdffe43f[log] [tgz]
authorPierre-Clément Tosi <ptosi@google.com>Fri Jun 28 10:33:52 2024 +0100
committerPierre-Clément Tosi <ptosi@google.com>Tue Jul 09 17:30:09 2024 +0100
tree1ec19ebff267b81fa4072c68ee752d0511cf3db4
parentc84449c5817907bdbe64078f5cbd21f7c49c5f24 [diff]
vmbase: bionic: Make FILE* non-dereferencable

In C, it is legal (albeit impl-defined) to dereference a FILE*. However,
treating our CFilePtr variants as valid pointers would be unsafe (from a
Rust perspective) as they are not actual (Rust) pointers. Currently, we
have no need for an actual FILE struct so there is no proper way to
construct valid pointers.

Instead, ensure that C never tries to dereference the FILE* values we
pass it for stdout and stderr. As vmbase never uses TTBR1_EL1 (entry.S
sets TCR_EL1.EPD1), addresses in the "upper" VA range can't be mapped
and can therefore be used as FILE* for this purpose. As a result, C
dereferencing these pointers would trigger a synchronous exception (mem
abort caused by invalid translation) leading to a system crash, keeping
the Rust environment safe. To reduce the risk of this bitrotting if/when
vmbase starts using TTBR1_EL1, use an address that requires 52-bit VA
range (TCR_EL1.T1SZ = 12), which we currently don't use even with TTBR0.

However, as those addresses use more than 32 bits, Rust warn about them
not being portable as usize. Therefore, enforce that the code be only
compiled for AArch64, rendering moot the portability concern, which can
then be silenced. This approach will force other targets to re-evaluate
the assumption and/or define their own addresses.

Test: m pvmfw librialto libvmbase_example
Change-Id: Ic4e373fa86db03728f92cd522fdb089462c11f83
1 file changed
tree: 1ec19ebff267b81fa4072c68ee752d0511cf3db4
  1. apex/
  2. apkdmverity/
  3. authfs/
  4. compos/
  5. demo/
  6. demo_native/
  7. docs/
  8. encryptedstore/
  9. ferrochrome_app/
  10. flags/
  11. java/
  12. launcher/
  13. libs/
  14. microdroid/
  15. microdroid_manager/
  16. pvmfw/
  17. rialto/
  18. service_vm/
  19. tests/
  20. virtualizationmanager/
  21. virtualizationservice/
  22. vm/
  23. vm_payload/
  24. vmbase/
  25. vmclient/
  26. vmlauncher_app/
  27. zipfuse/
  28. .clang-format
  29. .gitignore
  30. Android.bp
  31. avf_flags.aconfig
  32. OWNERS
  33. PREUPLOAD.cfg
  34. README.md
  35. rustfmt.toml
  36. TEST_MAPPING
README.md

Android Virtualization Framework (AVF)

Android Virtualization Framework (AVF) provides secure and private execution environments for executing code. AVF is ideal for security-oriented use cases that require stronger isolation assurances over those offered by Android’s app sandbox.

Visit our public doc site to learn more about what AVF is, what it is for, and how it is structured. This repository contains source code for userspace components of AVF.

If you want a quick start, see the getting started guideline and follow the steps there.

For in-depth explanations about individual topics and components, visit the following links.

AVF components:

AVF APIs:

How-Tos: