[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-devel] [PATCH]Fix the bug of guest os installationfailure and win2k boot failure
Hi, Keir, Do you mean that in a multi-thread process, one thread issues an I/O operation, and in the time slot that just after the processor has fetched the instruction, validated the access, but before Xen re-fetches the instruction for emulation, another thread steals that I/O instruction and replace it with a new one? Maybe we can regard it as a kind of attack... This could be happen in theory, but I think other instruction emulation may also have this problem. In your last sentence, do you mean that we still need to do an entire I/O permission check (including CPL, IOPL, and TSS I/O bitmap) in x86_emulate() for safety consideration? Thanks! :-) Best regards, -- Dongxiao -----Original Message----- From: Keir Fraser [mailto:keir.fraser@xxxxxxxxxxxxx] Sent: 2008年3月18日 16:46 To: Xu, Dongxiao; Cui, Dexuan; xen-devel@xxxxxxxxxxxxxxxxxxx Subject: Re: [Xen-devel] [PATCH]Fix the bug of guest os installationfailure and win2k boot failure We're on the same page now, except that I realised there is a TOCTTOU race introduced by relying on the processor's permission check while re-fetching the instruction from scratch in the hypervisor. This allows, in theory, a multi-threaded process to rewrite the I/O-port accessing instruction after the processor has fetched the instruction, and validated the access, but before Xen re-fetches the instruction for emulation. Possibly we do not care too much about this, since the process must already have some I/O-port-access permissions, but equally I don't expect we fall into the TSS-bitmap check all that often, it's not that hard to implement, and then we are definitely safe. -- Keir On 18/3/08 01:49, "Xu, Dongxiao" <dongxiao.xu@xxxxxxxxx> wrote: > Hi, Keir, > Now I understand what you mean. read_io, write_io, inject_hw_exception > callbacks are not defined within the multi.c. So I/O instructions will not be > emulated by it. Thanks for your comments. And the new patch is attached. > > Best regards, > -- Dongxiao > > -----Original Message----- > From: Keir Fraser [mailto:keir.fraser@xxxxxxxxxxxxx] > Sent: 2008年3月17日 19:21 > To: Cui, Dexuan; Xu, Dongxiao; xen-devel@xxxxxxxxxxxxxxxxxxx > Subject: Re: [Xen-devel] [PATCH]Fix the bug of guest os installationfailure > and win2k boot failure > > On 17/3/08 11:16, "Cui, Dexuan" <dexuan.cui@xxxxxxxxx> wrote: > >>> I think you misunderstand. The shadow emulator *never* emulates I/O >>> port accesses or exception deliveries. Those callback functions are >>> simply not implemented and are left as NULL. >> Those callback functions -- what are they? -- do you mean the following? >> static struct x86_emulate_ops hvm_emulate_ops = { >> .... >> .read_io = hvmemul_read_io, >> .write_io = hvmemul_write_io, >> ... >> }; > > Yes indeed. Also, crucially, .inject_hw_exception. Without that > x86_emulate() is unable to inject any exception into the guest, and will > instead return X86EMUL_UNHANDLEABLE. > > -- Keir > > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |