[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] NULL pointers and PV guests.

To: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
From: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>
Date: Tue, 31 Mar 2015 10:34:39 +0100
Cc: Keir Fraser <keir@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, David Vrabel <david.vrabel@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, bouyer@xxxxxxxxxxxxxxx
Delivery-date: Tue, 31 Mar 2015 09:35:08 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Mon, Mar 30, 2015 at 3:31 PM, Konrad Rzeszutek Wilk
<konrad.wilk@xxxxxxxxxx> wrote:
> On Thu, Mar 26, 2015 at 04:23:19PM +0000, Tim Deegan wrote:
>> Hi,
>>
>> After XSA-109 (a null function-pointer dereference) we've been
>> thinking about things we can do to make null pointers less dangerous
>> in PV guests.  This is a problem for pure PV only - when Xen is
>> running HVM and PVH guests null pointer dereferences will fault.
>>
>> [ Disclaimer: it's sadly clear that I'm not going to have time to work
>>   on any of these ideas myself. :(  But we could at least put them on
>>   the wish list. ]
>>
>> Idea 1: track PV pagetables so that we can tell which pagetables
>> might map the zero address -- e.g. by adding a flag or new types at
>> each level to indicate that we've seen this pagetable referenced
>> from slot zero of a higer-level pagetable that also has the flag set.
>> Then we could refuse any potential mapping of the bottom virtual 4k.
>>
>> This is probably OK as a general feature because most PV OSes will
>> want to keep the bottom 4k free so that their own null pointers work.
>> But it would potentially mean that the guest couldn't alias the same
>> L1/2/3 pagetable at address 0 and some other address.
>>
>> Linux/BSD people, can you comment on how likely that is to be a
>> problem?  Is it totally mad?
>
> I would stay away from any pagetables manipulation as much as possible
> in Linux. Linus is already unhappy with the SHARED_PMD flag being
> disabled when running under Xen and wants to eliminate that.

I'm pretty sure Tim is talking about tracking pagetables in Xen, not
in Linux.  The only restriction Idea 1 has in Linux would be that it
couldn't, even during boot, be able to map something at VA 0, and Tim
is asking realistically how often this is likely to be a problem.

I know that *in general*, Linux doesn't allow processes to map
anything to VA 0 either, for similar reasons; but that there are
mechanisms in place to override that.  I think we're probably OK with
crashing a guest that runs one of these "I need NULL pointers"
programs (or allowing the host admin to special-case permission for
VMs she trusts); but there was a fear that there may be a phase during
boot where VA 0 gets mapped that would be more difficult to avoid.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] NULL pointers and PV guests.
  - From: Tim Deegan
- Re: [Xen-devel] NULL pointers and PV guests.
  - From: Konrad Rzeszutek Wilk

Prev by Date: Re: [Xen-devel] machine address
Next by Date: Re: [Xen-devel] [PATCH] flask: Update XEN_SYSCTL_cputopoinfo name
Previous by thread: Re: [Xen-devel] NULL pointers and PV guests.
Next by thread: [Xen-devel] [xen-4.3-testing test] 36755: regressions - FAIL
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.