|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [Xen-ia64-devel] PATCH: cleanup of tlbflush
>From: Tristan Gingold [mailto:Tristan.Gingold@xxxxxxxx] >Sent: 2006年5月11日 17:06 >> >> No one talks about trusting domU. I'm not digging into xen/x86's code >> to see how they prevent such malicious behavior by passing an >incorrect >> virtual address at domain unmap request. Maybe the solution is there, >> maybe not. Anyway it's a common security issue, not specific to ia64. >No, it is specific to ia64, because x86 purges the tlb. >Our main problem is purge time: it is a simple instruction on x86 >(reloading >cr3, maybe through IPI), while a lot of works on ia64. > No, it's common. Xen/x86 also relies on passed gva to purge entries in writable page table. If domain deliberately passes an incorrect hva related to granted entry, xen/x86 will also populate incorrect pte entry. Later even after tlb is purged, domain is still possible to access ungranted pages since stale entry is still in pgtable. That's why I say flush_tlb_mask should really flush TLB only. Software structure (vhpt for ia64, writable pgtable for x86) is manipulated earlier by __gnttab_unmap_grant_ref where above security issue may apply. Thanks, Kevin _______________________________________________ Xen-ia64-devel mailing list Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-ia64-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |