Re: [Xen-devel] XSA-255 and Arm

[Julien Grall <julien@xxxxxxx>]

Sorry I forgot to CC xen-devel.

On 09/12/2019 13:13, Julien Grall wrote:
> Hi all,
>
> I was looking at the Grant Table code over the week-end and noticed 
> thart XSA-255 [1] introduced some unintended consequences on Arm.
> Since the XSA, gnttab_map_frame() will remove the previous mapping (if 
> any) because mapping to the new GFN.
> As on Arm we don't have an M2P, the GFN is stored per frame in the 
> grant-table code. This will never get cleared during unmapping (e.g. 
> XENMEM_remove_from_physmap) and therefore we may end up to remove a 
> mapping from someone different (Arm does not check the MFN is the 
> correct one before removing mapping).
> This works well on x86 because the translation MFN to GFN is using the 
> M2P. Therefore, the translation will be indirectly cleared when the 
> mapping is removed via XENMEM_remove_from_physmap.
> I could fix the P2M code to check the MFN on removal, but this is only 
> fixing on part of the problem. For instance, 
> gnttab_unpopulate_status_frame() is also check whether the GFN is still 
> valid for each mapping.
> Without the M2P, I can only see one solution. We would need to check 
> whether the GFN correspond to a grant frame and update the array on 
> removal. This obviously requires to loop through an array which is not 
> very great.
> Any other ideas?
>
> Cheers,
>
> [1] grant table v2 -> v1 transition may crash Xen
--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel