[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [xen-unstable test] 56456: regressions - FAIL

El 19/05/15 a les 17.07, Roger Pau Monné ha escrit:
> El 19/05/15 a les 12.29, Jan Beulich ha escrit:
>>>>> On 19.05.15 at 12:20, <tim@xxxxxxx> wrote:
>>> At 12:19 +0100 on 18 May (1431951570), Jan Beulich wrote:
>>>>>>> On 18.05.15 at 12:50, <roger.pau@xxxxxxxxxx> wrote:
>>>>> El 18/05/15 a les 12.17, Tim Deegan ha escrit:
>>>>>>  - have map_dirty_bitmap() DTRT, with something like access_ok() +
>>>>>>    a linear-pagetable lookup to find the frame.
>>>>>
>>>>> That was my first intention, but AFAICT we have no function in tree to
>>>>> resolve a PV guest VA into a GFN/MFN. The closest thing I could find was
>>>>> using guest_walk_tables + guest_walk_to_gfn in order to obtain the gfn.
>>>>> Should I send a patch to introduce a pv_gva_to_gfn function based on that?
>>>>
>>>> Isn't that what we have the linear page table and guest_map_l1e()
>>>> for?
>>>
>>> Yes, or in this case guest_get_eff_l1e().  We'd want to make sure we
>>> get_page() the underlying page as well to guard against it being freed
>>> and reused while we have a mapping.
>>>
>>> That won't check user/supervisor or write permissions in the upper
>>> levels of the tree.  OTOH, __copy_to_user() doesn't either, so maybe
>>> we don't care.
>>
>> Hmm, permissions are being checked by __copy_to_user() afaict
>> (due to us using the actual page tables), so that being bypassed
>> here would seem wrong then.
> 
> The only way I see to check for permissions of all levels is to use
> guest_walk_tables instead of guest_get_eff_l1e, but that's going to make
> this quite slow (as compared to the previous implementation).

After looking into this a little bit more, I'm afraid I don't see a
straight forward way to check for the permissions of all paging levels.
Here are the options I've found in order to deal with this:

 - Use guest_get_eff_l1e and only check for the permissions of the L1
   entry. Is it possible that the guest places an invalid entry in the
   linear l1 table without Xen realizing?

 - Add a new function hook somewhere (pv_domain maybe?) that can be
   used to translate GVA to PFN for PV guests (mimicking what
   paging_gva_to_gfn does). This would be implemented using
   guest_walk_X_level, where X is the paging levels of the guest.

 - Use some glue to be able to call guest_walk_{3/4}_level from
   paging.c directly, and correctly choose which one to use based on
   the guest bitness. IMHO this looks quite wacky, and I'm not even
   sure if it's possible given the amount of preprocessor foo in
   guest_pt.h.

I have the first option already implemented, but I would appreciate some
advice regarding the security implications of it.

Thanks, Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.