|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] x86/hvm: Fix use-after-free introduced by c/s 428607a
>>> On 02.02.16 at 12:39, <czuzu@xxxxxxxxxxxxxxx> wrote: > On 2/2/2016 12:52 PM, Jan Beulich wrote: >>> NULLing the pointers would cause things like rtc_deinit() to always blow >>> up when it followed the NULL pointer. >>> >>> IMO, we should unconditionally always NULL pointers when freeing a >>> pointer which isn't in local scope. It would make issues such as these >>> completely obvious. >> As would poisoning the pointers, yet poisoning has the advantage >> of not allowing PV guests to control what the hypervisor might >> access when erroneously de-referencing such a pointer. > > Jan, that sounds interesting. I hope I'm not intruding, but when you > have the time, could you please expand on this? > Besides distinguishing a nuked pointer from zeroed-out memory, I did not > know of any other advantage of 0xDEADBEEF pointer poisoning (generally > or specifically). > How could possibly setting a pointer to NULL allow a PV guest to control > what the hypervisor might access, if the hypervisor *can't access* a > NULL pointer? > And can a PV guest write data @ *hypervisor's* 0 page (virtual and/or > physical)? Since the answer to this last question is "yes" (for the virtual page 0 only of course), I suppose the rest is obvious. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |