Xen project Mailing List

Re: [Xen-devel] [PATCH V13 3/7] xen/arm: Allow hypervisor access to mem_access protected pages

On Thu, Mar 12, 2015 at 5:48 PM, Ian Campbell <ian.campbell@xxxxxxxxxx> wrote:

On Thu, 2015-03-12 at 17:02 +0100, Tamas K Lengyel wrote:
>
>
> On Thu, Mar 12, 2015 at 4:56 PM, Ian Campbell
> <ian.campbell@xxxxxxxxxx> wrote:
>Â Â Â Â ÂOn Thu, 2015-03-12 at 16:44 +0100, Tamas K Lengyel wrote:
>Â Â Â Â Â>
>Â Â Â Â Â>
>Â Â Â Â Â> On Thu, Mar 12, 2015 at 4:40 PM, Julien Grall
>Â Â Â Â Â> <julien.grall@xxxxxxxxxx> wrote:
>Â Â Â Â Â>Â Â Â Â ÂHi Ian,
>Â Â Â Â Â>
>Â Â Â Â Â>Â Â Â Â ÂOn 12/03/15 15:27, Ian Campbell wrote:
>Â Â Â Â Â>Â Â Â Â Â>> Currently, check_type_get_page emulate only the
>Â Â Â Â Âcheck for
>Â Â Â Â Â>Â Â Â Â Â2). So you may
>Â Â Â Â Â>Â Â Â Â Â>> end up to allow Xen writing in read-only mapping
>Â Â Â Â Â(from the
>Â Â Â Â Â>Â Â Â Â ÂStage 1 POV).
>Â Â Â Â Â>Â Â Â Â Â>> This was XSA-98.
>Â Â Â Â Â>Â Â Â Â Â>
>Â Â Â Â Â>Â Â Â Â Â> XSA-98 was purely about stage-2 permissions (e.g.
>Â Â Â Â Âread-only
>Â Â Â Â Â>Â Â Â Â Âgrants). The
>Â Â Â Â Â>Â Â Â Â Â> fact that the resulting patch also checks stage-1
>Â Â Â Â Â>Â Â Â Â Âpermissions is not a
>Â Â Â Â Â>Â Â Â Â Â> security property AFAICT.
>Â Â Â Â Â>
>Â Â Â Â Â>Â Â Â Â ÂXSA-98 was for both... Without checking stage-1
>Â Â Â Â Âpermission a
>Â Â Â Â Â>Â Â Â Â Âuserspace
>Â Â Â Â Â>Â Â Â Â Âwhich can issue an hypercall may be able to write
>Â Â Â Â Âinto
>Â Â Â Â Â>Â Â Â Â Âread-only kernel
>Â Â Â Â Â>Â Â Â Â Âspace. Whoops.
>Â Â Â Â Â>
>Â Â Â Â Â>
>Â Â Â Â Â> Userspace is able to issue hypercall?
>
>
>Â Â Â Â ÂVia ioctls on /proc/xen/privcmd, yes. It's how the toolstack
>Â Â Â Â Âtalks to
>Â Â Â Â ÂXen...
>
>
> Well, that is not the userspace issuing the hypercall, its a kernel
> module issuing the hypercall on behalf of a process ;)

But the vaddrs etc in there are userspace controlled and the kernel does
not validate them.

Ian.

Right, it's a bit splitting hairs and my point was just that the kernel is always in the middle and theoretically could implement input validation and access control as well.

Tamas

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel