[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v7 10/10] xen/common: do not implicitly permit access to mapped I/O memory

>>> On 26.05.14 at 13:24, <julien.grall@xxxxxxxxxx> wrote:
> On 26/05/14 12:14, Jan Beulich wrote:
>>>>> On 26.05.14 at 12:53, <julien.grall@xxxxxxxxxx> wrote:
>>> On 26/05/14 11:14, Jan Beulich wrote:
>>>> Or maybe I wasn't wrong - the patch context doesn't really make
>>>> clear whether it's the granting or mapping operation that gets
>>>> adjusted here (since an earlier patch moved the mapping one into
>>>> this function).
>>>            ret = -EPERM;
>>> -        if ( !iomem_access_permitted(current->domain, mfn, mfn_end) )
>>> +        if ( !iomem_access_permitted(d, mfn, mfn_end) )
>>>                break;
>>>            ret = xsm_iomem_mapping(XSM_HOOK, d, mfn, mfn_end, add);
>>> There is an xsm_iomem_mapping just after, so the change has been done in
>>> XEN_DOMCTL_memory_mapping.
>> In which case I indeed stick to my original comment - it's perhaps
>> best to check _both_.
> Why? We may want to map the region in the guest P2M without giving the 
> permission to the guest (I'm thinking about ARM passthrough case).

How can you put a mapping of memory into a guest's P2M for which
that guest has no access permission? To me this reads like you're
intending to create a security issue here.

> With your requirements, we have to call 2 hypercalls rather than one for 
> memory mapping, even if we don't want to allow the guest modifying iomem 
> range.

While I can see you not allowing modification, even r/o access may
(and likely will) be problematic for MMIO.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.