|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 7/7] x86/mm: Prevent 32bit PV guests using out-of-range linear addresses
On 12/09/17 16:50, Jan Beulich wrote: >>>> On 12.09.17 at 14:14, <andrew.cooper3@xxxxxxxxxx> wrote: >> The grant ABI uses 64 bit values, and allows a PV guest to specify linear >> addresses. There is nothing interesting a 32bit PV guest can reference which >> will pass an __addr_ok() check, but it should still get an error for trying. > While I'm all for tightening checks, I'm not sure we reasonably can: > Existing guests may (perhaps inadvertently) rely on this behavior, > and hence may break with the change. I think a prereq to this is to > have a command line option (or even a per-guest one) to control > strict vs relaxed argument checking behavior, and tie the extra > checks to that option being true. At the moment, any attempt to use this behaviour will still cause a general error, because we cant locate an L1e mapping the out-of-range linear address. Therefore, the guest wouldn't have had the grant operation succeed before. The problem is that its a latent security bug if we ever chose to reuse these ranges for other purposes. E.g. One idea I've had for a while is to move the XLAT translation logic into guest mode, accessed via a modification to the hypercall page. This would mitigate security issues such as infinite loops or boundary overflows, both of which we've had in the XLAT logic in the past. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |