[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH V13 3/7] xen/arm: Allow hypervisor access to mem_access protected pages



On Thu, 2015-03-12 at 15:40 +0000, Julien Grall wrote:
> Hi Ian,
> 
> On 12/03/15 15:27, Ian Campbell wrote:
> >> Currently, check_type_get_page emulate only the check for 2). So you may
> >> end up to allow Xen writing in read-only mapping (from the Stage 1 POV).
> >> This was XSA-98.
> > 
> > XSA-98 was purely about stage-2 permissions (e.g. read-only grants). The
> > fact that the resulting patch also checks stage-1 permissions is not a
> > security property AFAICT.
> 
> XSA-98 was for both... Without checking stage-1 permission a userspace
> which can issue an hypercall may be able to write into read-only kernel
> space. Whoops.

XSA-98 doesn't make any mention of this particular attack and talks
solely about guests writing to memory they shouldn't, not processes.

A userspace which can issue a hypercall is already root and has lots of
ways to rewrite kernel memory (starting with /dev/mem).

Anyway, enough splitting hairs: it probably is worth retaining this
behaviour since it seems pretty simple, just make gva_to_ipa_par take
the same flags as gva_to_ma_par and use it in the same way.


Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.