[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Writing to arbritary cannonical addresses

  • To: Charles Gonçalves <charles.fg@xxxxxxxxx>, <xen-devel@xxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Tue, 20 Apr 2021 19:05:13 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gOWhaoJ/eSrdy0fFm6nFbFTLZneW09jRZhlTkuUCick=; b=TVZh9FoUoI8ajzvlF9BCWSW604FOVFU4l+k3nbL/zD++Ozv8nxoerN6ct8kkH+jlLNVCcaM1Bc/cki/8yz68gHbw8ivt687ZEODfs0zkk08weYy7mQuu8qMeu5x14zrnfzSAYppHnHdjMxcmgwUBl0clS1jCz0awlayRNs8ZtDEwPKefZtM1lwC5BAb+Sr2y5CsaSCOodoaqxzkJugdO9WvbBuczXYMb2yE3c9TJVrEROLAXjSAO4Bf7JuYaqUezCpNDqolkp7O6+IMaDRuGr+F1FcM++i27EPsl26aekDZsXERaOGaVq9GQW/kh1HTNNcT+fH4VjVYD5q/Z/bRB8w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GofzJewmQR1qXiUrI7fyWalv0LNYMMegnGiPdedfANK36Q/13huPT6m3RHdkXp5buoZDxEZnGlFYQKKwkA5RlNhwZ11wlEk/mZ8AZPuYo7cK2jNufSy3OrwfhuPq39jaktlEdHtgBcePtO1rMH3wPCesICNpH1Owq2D1BTb4sRPY20BYpOcKx7lNk3OFvBy+3evmoByS87Axlr9VKcPcquRTy18DiMWqafz249rfzt8lLEWI+YOYezdEH77acerL9MOMwM5i5RzpgeJLZ6yx99lYyjAR4AvCWZ4VB5bR0D2A4f/06JsyN81C4fyVILNDLy0dN2PGKEy8A7mVwh1Wow==
  • Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Delivery-date: Tue, 20 Apr 2021 18:05:30 +0000
  • Ironport-hdrordr: A9a23:BBGVEaonKD5p7BcdRBi1ZWgaV5tvK9V00zAX/kB9WHVpW+SivY SHgOkb2RjoiDwYRXEnnpS6NLOdRG7HnKQU3aA4Bp3neAX9omOnIMVZ7YXkyyD9ACGWzI9g/I 9aWexFBNX0ZGIVse/T6gO1Cstl5dGB/ryhi+u29QYRcShBQchbnmBEIyycFVB7QxQDIJI/Go aV6MYvnUvdRV08aMOnCn4ZG9XSvtGjruOoXTcqDwMqgTP+9g+Ax6X9F3Gjr3Ijehdu5Ztnzm TfiQz+4cyYwr+G4zvRzXXa4ZgTuPaJ8Ko4OOW2hsIYKirhh2+TDewLMdDv00FX0YOSwW0njc XWpFMYN9lzgkmhIl2dmwfn2AXrzV8Vmhnf4GKYmnfqrIjYQz83GqN69PpkWybZ8EYpsZVA1r tK1QuixuNqJC7H9R6Ng+TgZlVPrA6ZsHAimekcgzh0So0FcoJcqoQZ4Qd8DIoANDiS0vFnLM BeSOXnoNpGe1KTaH7U+kN1xsa3Y3g1FhCaBmAfp82u1SRMlnwR9TpZ+OUv2lM7sL4tQZhN4O rJdo5ykqtVc8MQZaVhQMAMXNWwEW6IZR7XKmqdLRDGGcg8SjHwgq+yxI9wyPCheZQOwpd3so /GSklkuWk7fF+rBtaJ2JFN7xDRUGSwVTng0ahllt1Ek4y5YICuHTyISVgoncflie4YGNfnV/ G6P48TA/KLFxqrJa95mynFH7VCI3gXV8MY/vwhXUiVn87NIor28ujScPPZIqvxAS8pM1mPRU crbXzWHoFt/0qrUnj3jFz6QHX2YHHy+pp2Dezd5OgcyI8EM4VWqQgLgVGl5sWGQAcy8JAeTQ 9bGvfKg6m7rW658SLj9GNyICdQCU5T/fH9SX9QvBQLNEn1aL4HvN2adQlprT26Dy46a/mTPB 9Uplxx967yEoeZwjo6Dcm7dkiAiWEImX6MR5AAu6GK6Mv/YKkkBpI+VKEZL3STKzVF3SJR7E ZKckstW1LWHDKGs9TbsLUkQMXkM+RarCjuC8hOsn7bvVibvqgUNwUmdg/ra+C4xSsNZx4RvF 1+9K8ZjtO76GuSAFp6usoXdHliAV7nWo5uPUC+SqsRoZzQRCRMJF363gCyulUIVESvy2E7ol bAAESvCKn2K1JAp3FV1bvr+ltodmObO1l9cGx+rJcVLxW3hl9jleCMfaa9yG2Xdx8LxfwcKi jMZX8ILhpp3M3f7m/ZpB+SUXEnzI4pJOrTEfAqdKzSwGqkLOSz5Oo7Nu4R+JZuL9b1tOAXFe qZZg+ONTv9T+ckwRacqHpgOC56rhAf4LnV8Qyg6Gizx3gkB/XOZFxgWrEAOtmZq3H+WOzg6u QOsfsl+e+rdmnhYN+Pzq/aKzZFNxPIuGazC+Uls4pds64+vKZ6dqOrHQfgxTVCxlEzPc30nE QRTOBw6LXMPYJmZIgJdzlY8kBslNOUMUMtuACzAuJWRyBfs1bLe9eSp7bYo7smBUOM4BH9Pl SS6CVR9fbIVSnr789TN4sgZWBNLEQs4nVr++2PM5DKAAKxbudZ4R60NGS+fLI1ctnzJZwA6h Jhp9eGkO+ce3CmhETevT5nLrlP9GjiS8WoGw6IEfNJ9dv/OVnkuNre3OejyDPsDT28YAAEgI cAc0oaZMFKkCMjg406yTLacN2/nms1119FpSh6nVvs0JW86GjVHUtaIRTU668mLAV7IzyNl4 DZ6uCW23T2/Shd1ZTCHElWeMtSG9J4dPmCEw5+bc4KvLCp+KIzgiNMJBc2ZlRM+gzA4w==
  • Ironport-sdr: Eq7pJjeEzyKPFW5l5j5GdXVRvbTEIZurdY1berH4zUAutWtTVR3z85LfwQGDaBeQwJ90rf8oM9 iakrHZp7cqD8Z9v2csgBhdnGAJzNma4x5wg4l2jJ99oPRaXXxsodYGO3CZHUnoJclYl0Mabef/ zBVUy5Lfw8aKMDEjjxqyixr8WPERFXcI7vGEkKsuolczDjt9rp2egGTLkjtGY7h7cTXolTcK18 jx4l0hw6lQbZGaC/XskGgDHQxlIajQh0pyiv1vPpC1QxkPxEiEQJwdv0uxucFhSKAaR1p31Ayh BxY=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 20/04/2021 17:13, Charles Gonçalves wrote:
> Hello Guys,
>
> I'm trying to reproduce old exploit behaviors in a simplistic way: 
> create an hypercall to write a buffer to a specific MFN. 
>
> At first, I thought that updating an l1 page in a valid VA in guest
> kernel space would do the trick. 
> But for addresses outside the  Guest-defined use (0x0000000000000000 -
> 0x00007fffffffffff ) is a no go! 
> I get a page fault with  'reserved bit in page table' warning message.
>
> Now I'm trying to write to the address inside the hypervisor code, but
> not sure how to do it.  
>
> Any comments or tips on this?

So you're looking to add a hypercall to make arbitrary unaudited changes
to arbitrary memory, to simulate past security issues?

If you're seeing "Reserved bit in page table" then you've managed to
corrupt a pagetable entry somehow.  Xen doesn't write any reserved bits
(which it doesn't know how to interpret).

I'm afraid that if you want any further help with this specific failure,
you're going to have to post your changes to Xen somewhere.  pastebin,
or a pointer to a git branch, or whatever, but my divination skills
aren't great...

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.