[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] ioreq: don't (deliberately) crash Dom0

  • To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Mon, 1 Feb 2021 15:37:41 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Z1Nk6ujDwrukE7XA630RTM5uYNvmKaDCjAVPbpv/zyo=; b=Do8F3Qtj5IBtzWPc52C+4JUQASxcGglX/1WBGc4o+gvmoDrUWvmeF7uhP6zBO4IFBAWlLy/KGBmn4Qs/g4QOdejegroMSAIKONeADEGaPMXmrUM+FHLacbHbJCTwse//5+ICUVA+hmHOF+U+O2v+j8x9vsfHFhhEltabdaQOuw8gDH0fsCouu1KEdDg3uiQuO0rwRmSRNxNt/GKfwosWT1hTR1CBUKWyafqui5J0RACyxGwCVD9Ip/Rc1LagcLgTC4EdWUkDkbQB/6HjqQeO8hfSu2Pi92AiMe4SBfUDZZbe3Q8IKlz9XuqFLLgThaOnyVkKD7h+4COyaakVafU+1Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZOLnakT0oALS5FFE9ZF0uDzYPwW5F0uG/kItqJ0WkHvfLuAmzF449BMKzQEstasOU6tXHdkUX6qbfk5uBCwZiy0Wvmfppcnk+w6EnfBuNm3ykrO8xy4E4650AM4Tna6duJLVMbvQxawyG2+STQU3oa4Fcq65x+5GpA+smFkApoI01qvpJ066EYeicH0jbh/6PBBJv79wfrqveEt/BL3QANeZLEMuQY0MOrlvgrqBKIGucmjoqzk9NHa1Gc2aOx2cT4/SjWQy5t0NUKJSep1BxDcaBJw+MBfCdkJtJjpaOKHZY3RplgEmNJwT/2gJJFBJeRiePPyENeSgsqwDbFtMGg==
  • Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Paul Durrant <paul@xxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>
  • Delivery-date: Mon, 01 Feb 2021 15:37:57 +0000
  • Ironport-sdr: 5chuxRv0pEc2w2U/VxD2C+uyuCXQaZMqhwX1ZilrJjXTzIrphgnfEhM3HjnLZ8mlrs0v7mll/N lQ/W2C6t0B+cGvmEZzq1MLDaIwF6yo9mAsF4zHaalQKegwkWCrrzTyhg0301gMts/4pjgly1zw JzPO1iVcpBqrZVkL/ne0F+DDqF+omjl+T/z9r96LAxLTcHHzzPqnJO5SxR2AAOW2af8fi5rDck tean62E638PfYC13O9BwEprlyO0oTdJlZlkrQ8zQkOLoffsox8x+1WlEaFvgapwV9wgLSEooOk M8Y=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 01/02/2021 15:22, Jan Beulich wrote:
> We consider this error path of hvm_alloc_ioreq_mfn() to not be possible
> to be taken, or otherwise to indicate abuse or a bug somewhere. If there
> is abuse of some kind, crashing Dom0 here would mean a system-wide DoS.
> Only crash the emulator domain if it's not the (global) control domain;
> crash only the guest being serviced otherwise.
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

Honestly, I'm -1 towards this.

Asymmetrically shooting things which aren't dom0 only complicates
investigations, and doesn't remove the fact that this is an XSA.

I do not subscribe to the opinion that keeping dom0 running at all
possible costs is the best thing thing for the system.

In this particular case, the theoretical cases where it can go wrong
might not be the fault of either domain.


> --- a/xen/common/ioreq.c
> +++ b/xen/common/ioreq.c
> @@ -274,7 +274,7 @@ static int hvm_alloc_ioreq_mfn(struct hv
>           * The domain can't possibly know about this page yet, so failure
>           * here is a clear indication of something fishy going on.
>           */
> -        domain_crash(s->emulator);
> +        domain_crash(is_control_domain(s->emulator) ? s->target : 
> s->emulator);
>          return -ENODATA;
>      }



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.