On 21/07/14 15:11, Andres Lagar Cavilla
wrote:
No - it does a domain pause around this set of critical operations,
so the guest is guaranteed not to be running, and therefore cannot
interfere.
My patches have not been committed so there known (and well
documented) holes in the Xen side of the interface. Therefore, the
assertion is completely correct at the moment. The situation will
certainly change (for the better) once my patches are taken.
I would like to hope that I got all the issues, but I did not
performed an extensive analysis of the interface. I discovered the
issues when reviewing the bitdefender code which copied the vcpu
overrun bug, and then discovered the pause_count issue when fixing
the vcpu overrun.
I got all the issues I could spot, given no specific knowledge of
the mem_event stuff. However, I feel it would be naive to assume
that the rest of the interface is secure. (This might well be my
particularity-pessimistic attitude to security, but it does tend to
be more reliable than the optimistic attitude.)Â A proper audit of
the interface is required as part of resolving XSA-77.
Let me rephrase. Does this series do anything which 6ae2df93 (which
is now committed) didn't do? It would certainly appear that
6ae2df93 does the vast majority of what this series is attempting to
do.
~Andrew
|