[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] XSA-255 and Arm

Sorry I forgot to CC xen-devel.

On 09/12/2019 13:13, Julien Grall wrote:
Hi all,

I was looking at the Grant Table code over the week-end and noticed thart XSA-255 [1] introduced some unintended consequences on Arm.

Since the XSA, gnttab_map_frame() will remove the previous mapping (if any) because mapping to the new GFN.

As on Arm we don't have an M2P, the GFN is stored per frame in the grant-table code. This will never get cleared during unmapping (e.g. XENMEM_remove_from_physmap) and therefore we may end up to remove a mapping from someone different (Arm does not check the MFN is the correct one before removing mapping).

This works well on x86 because the translation MFN to GFN is using the M2P. Therefore, the translation will be indirectly cleared when the mapping is removed via XENMEM_remove_from_physmap.

I could fix the P2M code to check the MFN on removal, but this is only fixing on part of the problem. For instance, gnttab_unpopulate_status_frame() is also check whether the GFN is still valid for each mapping.

Without the M2P, I can only see one solution. We would need to check whether the GFN correspond to a grant frame and update the array on removal. This obviously requires to loop through an array which is not very great.

Any other ideas?


[1] grant table v2 -> v1 transition may crash Xen

Julien Grall

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.