|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-ia64-devel] PATCH: cleanup of tlbflush
>From: Isaku Yamahata [mailto:yamahata@xxxxxxxxxxxxx] >Sent: 2006年5月11日 11:07 > >On Thu, May 11, 2006 at 10:39:52AM +0800, Tian, Kevin wrote: > >> >It will get an undesirable result or xen destroys it as a result. >> >The issue here is that trusting dom0 when unmapping granted pages >> >may affect a whole system or xen itself potentially. >> >> Xen itself will not be affected. The granted frame or mapping virtual >> address always belong to domain, instead of xen itself. > >Xen can be affected potentially. >It is possible for a domain to return pages to xen >by XENMEM_decrease_reservation. >Please consider followings >1. domain A grants dom0 to map a page. >2. dom0 maps the page, accesses it and unmaps it lying virtual address. >3. xen flushes it but the virtual address is wrong. > Here dom0 might be able to access the page. >4. domain A returns the page to xen by >XENMEM_decrease_reservation. >5. Xen reuses the page for its own purpose. >6. dom0 overwrites the page via the true virtual address. > Xen's data are destroyed. > >Presumably at 4./5. xen can defer freeing the page. > > I agree and there'll be more corner cases where dom0 can corrupt xen. But note, the whole xen virtual environment is constructed by both dom0 and xen hypervisor. If dom0 is already hacked and malicious, the whole system is already broken irregardless of whether xen content is corrupted. :-) But yes we still need to make it safer. Thanks, Kevin _______________________________________________ Xen-ia64-devel mailing list Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-ia64-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |