Xen project Mailing List

RE: [EXTERNAL] Re: [XEN PATCH] xen/common: validate shared memory guest address overlap with guest RAM

To: Julien Grall <julien@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: "Bae, Joan" <joan.bae@xxxxxxxxxx>

Date: Wed, 15 Apr 2026 02:19:39 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=boeing.com; dmarc=pass action=none header.from=boeing.com; dkim=pass header.d=boeing.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mh3jw2nNypx/gjnyF2rTr4YGVZIzELOgxhSCK38qGjI=; b=lNapfPH99MhWizTyuamdF6iSBnvqjgLgBhEYwfdsQid4nwafUhcWMeQcNrOn5nZgSnGZfe9qxsFuSgM7W51OGXJW9c3S5r61c4036gTPiW5airgBULf6+pLOZCCY6Y3YVS9FZG2B0lLv8qNFBha6XVJLkTk899CNpvKzdE/lY9nNpRciSoW/KCSdzcIIixOpdER3W+3iMU6hReKaNkKkdedv5scYlkblTGrOj/hxKfohuLeqihbcwt6PTxWN/sGIffKFQqWJYfniN8GVcEm4zCZQqyHkzRYPEZ1gpQq1gOz5FoDnKBB31c4UVg2YZB2GGZ6YYsiqTSun4o2wEemlhQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=rqaHgzA3rsBF9fvGHuzwZoMehVmJAf9IIHmva8eM4/XXmMZhjtyQNGPlojFMEUuSP5EgytMNOZASYcX7gyhrsIflPICm2iVonfiNWRaP/3+A+eUv6GfSufYNOKhmlx9FAZd6rLsq9tMDa9W4ic6mDSll+Co75k4kZcBTrvyFk9wXAcmP/2TbcGKKfY9r7TlcxHmt0pIZi4yqViNO43znpfu57KlVuSpV1TN6RjSgdjJbo8q+Z+ww2eGouwWwkcPj5A4Xulu7pUt0OCc1LAa2mOvfDzbxe6A8+F+bq+Uq5OLsuks6bx9/sUCCPXOZ6ZR6WBBzZknXC8fwgAUN+QgUww==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=boeing-s1912 header.d=boeing.com header.i="@boeing.com" header.h="From:To:CC:Subject:Date:References:In-Reply-To"; dkim=pass header.s=selector1-boeing-onmicrosoft-com header.d=boeing.onmicrosoft.com header.i="@boeing.onmicrosoft.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:x-ms-exchange-senderadcheck"

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=boeing.com;

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>

Delivery-date: Wed, 15 Apr 2026 02:21:47 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHcy6n8SUKFV8ls/kGsGA5q0Nlt0bXdycCAgAGZ18A=

Thread-topic: [EXTERNAL] Re: [XEN PATCH] xen/common: validate shared memory guest address overlap with guest RAM

Hi Julien, Thank you for the review. I agree that the overlap issue is not limited to shared memory overlapping with RAM. It could happen with any P2M mapping during domain construction. I researched the callers of p2m_set_entry(). At a higher level, p2m_insert_mapping() callers can be categorized into two groups: runtime hypercalls and domain construction. Runtime hypercalls such as XENMEM_populate_physmap rely on overwriting existing mappings, so they must allow it. On the other hand, domain construction callers such as guest_physmap_add_pages() should not allow overwriting existing mappings. Since both categories depend on p2m_set_entry(), adding a blanket check there would break the runtime hypercall paths. My plan for v2 is to add a checked variant of p2m_insert_mapping() (named as p2m_insert_mapping_checked) that verifies no existing mapping is present before inserting. Domain build paths would use the checked version, while runtime hypercall paths remain unchanged. I also noticed a related TODO in p2m.h: /* TODO: Add a check in __p2m_set_entry() to avoid creating a mapping in * arch_domain_create() that requires p2m_put_l3_page() to be called. / This seems to be addressing a similar concern. Would the approach of a checked wrapper at the p2m_insert_mapping() level be acceptable, or would you prefer the check at a different level? Thank you, Joan > EXT email: be mindful of links/attachments. > > Hi Joan, > > Thank you for the patch. > > On 14/04/2026 09:59, Joan Bae wrote: >> Currently, process_shm() does not check whether the guest physical >> address of a shared memory region overlaps with the domain's allocated >> RAM banks. Neither process_shm() nor p2m_set_entry() checks for >> existing mappings, so the RAM mapping is silently overwritten if a user >> specifies a guest physical address that falls within the guest RAM >> range. Since construct_domain() loads the kernel after process_shm(), >> the kernel can end up in shared memory pages. This can cause: - Another >> domain corrupting the kernel via shared memory write - Silent guest >> crash with no error message from Xen > > This seems to be solving one specific issue (RAM clashing with shared > memory) but I believe this could also happen with other kind of mappings > because, as you said, p2m_set_entry() doesn't check any overlap. > > So I would rather prefer if we solve the problem once and for all. This > would mean modifying p2m_set_entry() (or one of its top caller). > Although, we would need to be careful to not break memory hypercalls > which may rely on overwriting existing mappings. > > Cheers, > Thanks, Joan Bae

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.