[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 11/12] xen/gntdev: mark userspace PTEs as special on x86 PV guests

On Wed, 2015-01-07 at 13:23 +0000, David Vrabel wrote:
> On 07/01/15 12:11, Ian Campbell wrote:
> > On Tue, 2015-01-06 at 18:57 +0000, David Vrabel wrote:
> >> In an x86 PV guest, get_user_pages_fast() on a userspace address range
> >> containing foreign mappings does not work correctly because the M2P
> >> lookup of the MFN from a userspace PTE may return the wrong page.
> >>
> >> Force get_user_pages_fast() to fail on such addresses by marking the PTEs
> >> as special.
> >>
> >> If Xen has XENFEAT_gnttab_map_avail_bits (available since at least
> >> 4.0),
> > 
> > http://wiki.xenproject.org/wiki/Xen_Kernel_Feature_Matrix says the dom0
> > pvpops already requires >= 4.0 too, which matches my recollection
> > (something to do with a new APIC interface which upstream insisted on
> > during upstreaming, IIRC), but both could be out of date...
> gntdev is usable by driver domains and useful for inter-domain comms so
> it isn't limited to dom0 use only and Linux still needs to run on Xen
> 3.2 (I think that's the oldest still available on AWS).

Ah yes, driver domains...

> Because of the m2p override limitation, gntdev is currently unsafe[1] to
> use by untrusted userspace apps so there's no (new) security issues here.
> However, we could disable gntdev if this feature is messing unless
> overridden by a module option.  Opinions on this?

If it is exploitable by untrusted apps in the new form (the race between
mmap and the pte update still is, right?), then that might be best, or
only allow root to open it?

> David
> [1] mapping a ref twice or a two refs for the same frame can corrupt
> kernel state is various exciting ways because of messed up page ref counts.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.