Merge branch 'main' into guest-mem-in-vm

Author: roypat

Cargo.lock

@@ -10,7 +10,7 @@ name = "clippy-tracing"
 bench = false
 
 [dependencies]
-clap = { version = "4.5.32", features = ["derive"] }
+clap = { version = "4.5.35", features = ["derive"] }
 itertools = "0.14.0"
 proc-macro2 = { version = "1.0.94", features = ["span-locations"] }
 quote = "1.0.40"

src/clippy-tracing/Cargo.toml

@@ -10,7 +10,7 @@ name = "cpu-template-helper"
 bench = false
 
 [dependencies]
-clap = { version = "4.5.32", features = ["derive", "string"] }
+clap = { version = "4.5.35", features = ["derive", "string"] }
 displaydoc = "0.2.5"
 libc = "0.2.171"
 log-instrument = { path = "../log-instrument", optional = true }

src/cpu-template-helper/Cargo.toml

@@ -13,7 +13,7 @@ fn main() {
     let bpf_path = &args[2];
 
     let filter_file = File::open(bpf_path).unwrap();
-    let map = deserialize_binary(&filter_file, None).unwrap();
+    let map = deserialize_binary(&filter_file).unwrap();
 
     // Loads filters.
     apply_filter(map.get("main").unwrap()).unwrap();

src/firecracker/examples/seccomp/jailer.rs

@@ -11,7 +11,7 @@ fn main() {
     let filter_thread = &args[2];
 
     let filter_file = File::open(bpf_path).unwrap();
-    let map = deserialize_binary(&filter_file, None).unwrap();
+    let map = deserialize_binary(&filter_file).unwrap();
     apply_filter(map.get(filter_thread).unwrap()).unwrap();
     panic!("Expected panic.");
 }

src/firecracker/examples/seccomp/panic.rs

@@ -9,12 +9,6 @@ use vmm::seccomp::{BpfThreadMap, DeserializationError, deserialize_binary, get_e
 
 const THREAD_CATEGORIES: [&str; 3] = ["vmm", "api", "vcpu"];
 
-// This byte limit is passed to `bincode` to guard against a potential memory
-// allocation DOS caused by binary filters that are too large.
-// This limit can be safely determined since the maximum length of a BPF
-// filter is 4096 instructions and Firecracker has a finite number of threads.
-const DESERIALIZATION_BYTES_LIMIT: Option<u64> = Some(100_000);
-
 /// Error retrieving seccomp filters.
 #[derive(Debug, thiserror::Error, displaydoc::Display)]
 pub enum FilterError {
@@ -72,15 +66,13 @@ pub fn get_filters(config: SeccompConfig) -> Result<BpfThreadMap, FilterError> {
 fn get_default_filters() -> Result<BpfThreadMap, FilterError> {
     // Retrieve, at compile-time, the serialized binary filter generated with seccompiler.
     let bytes: &[u8] = include_bytes!(concat!(env!("OUT_DIR"), "/seccomp_filter.bpf"));
-    let map = deserialize_binary(bytes, DESERIALIZATION_BYTES_LIMIT)
-        .map_err(FilterError::Deserialization)?;
+    let map = deserialize_binary(bytes).map_err(FilterError::Deserialization)?;
     filter_thread_categories(map)
 }
 
 /// Retrieve custom seccomp filters.
 fn get_custom_filters<R: Read + Debug>(reader: R) -> Result<BpfThreadMap, FilterError> {
-    let map = deserialize_binary(BufReader::new(reader), DESERIALIZATION_BYTES_LIMIT)
-        .map_err(FilterError::Deserialization)?;
+    let map = deserialize_binary(BufReader::new(reader)).map_err(FilterError::Deserialization)?;
     filter_thread_categories(map)
 }
 

src/firecracker/src/seccomp.rs

@@ -32,7 +32,7 @@ log = "0.4.27"
 log-instrument-macros = { path = "../log-instrument-macros" }
 
 [dev-dependencies]
-env_logger = "0.11.7"
+env_logger = "0.11.8"
 
 [lints]
 workspace = true

src/log-instrument/Cargo.toml

@@ -16,8 +16,8 @@ path = "src/bin.rs"
 bench = false
 
 [dependencies]
-bincode = "1.2.1"
-clap = { version = "4.5.32", features = ["derive", "string"] }
+bincode = { version = "2.0.1", features = ["serde"] }
+clap = { version = "4.5.35", features = ["derive", "string"] }
 displaydoc = "0.2.5"
 libc = "0.2.171"
 serde = { version = "1.0.219", features = ["derive"] }

src/seccompiler/Cargo.toml

@@ -8,7 +8,9 @@ use std::os::fd::{AsRawFd, FromRawFd};
 use std::os::unix::fs::MetadataExt;
 use std::str::FromStr;
 
-use bincode::Error as BincodeError;
+use bincode::config;
+use bincode::config::{Configuration, Fixint, Limit, LittleEndian};
+use bincode::error::EncodeError as BincodeError;
 
 mod bindings;
 use bindings::*;
@@ -17,6 +19,18 @@ pub mod types;
 pub use types::*;
 use zerocopy::IntoBytes;
 
+// This byte limit is passed to `bincode` to guard against a potential memory
+// allocation DOS caused by binary filters that are too large.
+// This limit can be safely determined since the maximum length of a BPF
+// filter is 4096 instructions and Firecracker has a finite number of threads.
+const DESERIALIZATION_BYTES_LIMIT: usize = 100_000;
+
+pub const BINCODE_CONFIG: Configuration<LittleEndian, Fixint, Limit<DESERIALIZATION_BYTES_LIMIT>> =
+    config::standard()
+        .with_fixed_int_encoding()
+        .with_limit::<DESERIALIZATION_BYTES_LIMIT>()
+        .with_little_endian();
+
 /// Binary filter compilation errors.
 #[derive(Debug, thiserror::Error, displaydoc::Display)]
 pub enum CompilationError {
@@ -174,8 +188,9 @@ pub fn compile_bpf(
         bpf_map.insert(name.clone(), bpf);
     }
 
-    let output_file = File::create(out_path).map_err(CompilationError::OutputCreate)?;
+    let mut output_file = File::create(out_path).map_err(CompilationError::OutputCreate)?;
 
-    bincode::serialize_into(output_file, &bpf_map).map_err(CompilationError::BincodeSerialize)?;
+    bincode::encode_into_std_write(&bpf_map, &mut output_file, BINCODE_CONFIG)
+        .map_err(CompilationError::BincodeSerialize)?;
     Ok(())
 }

src/seccompiler/src/lib.rs

@@ -10,7 +10,7 @@ name = "snapshot-editor"
 bench = false
 
 [dependencies]
-clap = { version = "4.5.32", features = ["derive", "string"] }
+clap = { version = "4.5.35", features = ["derive", "string"] }
 displaydoc = "0.2.5"
 
 fc_utils = { package = "utils", path = "../utils" }