Re: [Xen-devel] [PATCH] Libxc: fix xc_translate_foreign_address()

[Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx>]

On 04/04/2017 06:11 PM, Andrew Cooper wrote:
> On 04/04/17 13:14, Razvan Cojocaru wrote:
>> Currently xc_translate_foreign_address only checks for PSE bit only on
>> level 2 entries (that's 2 MB pages on x64 and 32-bit with PAE, and 4 MB
>> pages on 32-bit). But linux kernel sometimes uses 1 GB pages. This patch
>> fixes that, and checks the PSE bit on level 3 entries if the guest has 4
>> translation levels (that means 64-bit guests only).
>>
>> Signed-off-by: Cristian-Bogdan Sirb <csirb@xxxxxxxxxxxxxxx>
> 
> This function is in a rather tragic state.  Lucky it isn't used by code
> covered by Xen's security statement.
> 
> This patch reintroduces XSA-176, and the existing code doesn't work for
> 4M superpages, or guests using PSE36.  (I might be acutely aware of
> pagetable issues, following c/s
> 4c5d78a10dc89).  Furthermore, the map/unmap overhead must be a large
> overhead.
> 
> How often is this used by introspection?  To properly walk the
> pagetables, you need access to the CPUID information (as well as the
> control register state), and that isn't yet available to the toolstack
> in Xen.
> 
> I'm wondering whether it might be better to have a way of asking Xen to
> perform a virtual to linear translation in the context of a specific
> vcpu.  My gut feeling is that it might be quicker than running this
> logic, and is definitely more simple than trying to fix this code not to
> have vulnerabilities in it.

We have a workaround looking directly into the guest but have felt that
the proper thing to do was to contribute the fix back to Xen.


Thanks,
Razvan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel