[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [EXTERNAL] Re: [XEN PATCH] xen/common: validate shared memory guest address overlap with guest RAM

  • To: Julien Grall <julien@xxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: "Bae, Joan" <joan.bae@xxxxxxxxxx>
  • Date: Tue, 21 Apr 2026 23:41:37 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=boeing.com; dmarc=pass action=none header.from=boeing.com; dkim=pass header.d=boeing.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RaE2bzzx7I0+KXwrYhGKyMgM6Gd7tv85z6P9lL1CL9E=; b=KfL5opRJHcHVPJ+F4UPgoA1ZvsyOHKJgD5kxSFTu/mTGD+4S+P5q5QRYYPEd72DBJUJ+KQTPbHuM1AAMeCFrf6nh8M3q/OOQepDqonzMtdE2RlJ7ExwKrOH1MJSdIRLIaV3fcPZXZhCgIx/rGdlihfi0lX93K+O+9UJCowCjoOt6Prehvy6laDTDRORMgf5+7Mo5M81iupNN0j/U5moXW4S3F6BGeCPwId7ji778ylvOwholxqq+xoyL6l49CtSvfGRAlC3Cfm1LB0ne7ywHz7+Zvk2y0TXt1KIkElICLJqMpjdxuotmzuGfRTGtEzdD+3QUC4eAub3SlX9Dnd8vRA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=itBK2dSQd70qmbTY9Qb+ulVLRFOtxaWIEH3lwAKorZ2fjFuFX0aU4dZ0YVWBDw/Sdez89uFzuQMQF9y5WvZwWGHwt6RfqzXV1sPEsZFXy75+53WJCNBIDJniWCn0KL7HJ+HaWClKjxXvhcd3XYrF1EHOzsqm9kRJW8AZdfo4DewQj3OmNv9fxjJQmMom0FZ+GEgkYdcgpklUkrhmyBW9a3FUKj2aJb+Zu8ZrNqVOzgxZBc81qnKxB3gt1N5EQLW7YDROAMUcfcH2Zr/hTEMt0juwH2EnTWpf/rgzUrfog2VBLhI8dl/ac21dHynpptNfoMS34L0AFQ4cOjz3wxXdAg==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=boeing-s1912 header.d=boeing.com header.i="@boeing.com" header.h="From:To:CC:Subject:Date:References:In-Reply-To"; dkim=pass header.s=selector1-boeing-onmicrosoft-com header.d=boeing.onmicrosoft.com header.i="@boeing.onmicrosoft.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:x-ms-exchange-senderadcheck"
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=boeing.com;
  • Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>
  • Delivery-date: Tue, 21 Apr 2026 23:42:10 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHcy6n8SUKFV8ls/kGsGA5q0Nlt0bXdycCAgAGZ18CACtTL4A==
  • Thread-topic: [EXTERNAL] Re: [XEN PATCH] xen/common: validate shared memory guest address overlap with guest RAM
Hi Julien,

> Hi Julien,
> 
> Thank you for the review. I agree that the overlap issue is not limited to 
> shared
> memory overlapping with RAM. It could happen with any P2M mapping
> during domain construction.
> 
> I researched the callers of p2m_set_entry(). At a higher level,
> p2m_insert_mapping() callers can be categorized into two groups: runtime
> hypercalls and domain construction.
> 
> Runtime hypercalls such as XENMEM_populate_physmap rely on overwriting
> existing mappings, so they must allow it. On the other hand, domain
> construction callers such as guest_physmap_add_pages() should not allow
> overwriting existing mappings.
> 
> Since both categories depend on p2m_set_entry(), adding a blanket check
> there would break the runtime hypercall paths.
> 
> My plan for v2 is to add a checked variant of p2m_insert_mapping() (named
> as p2m_insert_mapping_checked) that verifies no existing mapping is present
> before inserting. Domain build paths would use the checked version, while
> runtime hypercall paths remain unchanged.
> 
> I also noticed a related TODO in p2m.h:
> /* TODO: Add a check in __p2m_set_entry() to avoid creating a mapping in
> * arch_domain_create() that requires p2m_put_l3_page() to be called. /
> 
> This seems to be addressing a similar concern. Would the approach of a
> checked wrapper at the p2m_insert_mapping() level be acceptable, or would
> you prefer the check at a different level?
> 
> Thank you,
> Joan
> 
>> EXT email: be mindful of links/attachments.
>> 
>> Hi Joan,
>> 
>> Thank you for the patch.
>> 
>> On 14/04/2026 09:59, Joan Bae wrote:
>>> Currently, process_shm() does not check whether the guest physical
>>> address of a shared memory region overlaps with the domain's
>>> allocated RAM banks. Neither process_shm() nor p2m_set_entry() checks
>>> for existing mappings, so the RAM mapping is silently overwritten if
>>> a user specifies a guest physical address that falls within the guest
>>> RAM range. Since construct_domain() loads the kernel after
>>> process_shm(), the kernel can end up in shared memory pages. This can
>>> cause: - Another domain corrupting the kernel via shared memory write
>>> - Silent guest crash with no error message from Xen
>> 
>> This seems to be solving one specific issue (RAM clashing with shared
>> memory) but I believe this could also happen with other kind of
>> mappings because, as you said, p2m_set_entry() doesn't check any overlap.
>> 
>> So I would rather prefer if we solve the problem once and for all.
>> This would mean modifying p2m_set_entry() (or one of its top caller).
>> Although, we would need to be careful to not break memory hypercalls
>> which may rely on overwriting existing mappings.
>> 
>> Cheers,
>> 
> 
> Thanks,
> Joan Bae
>

Gentle ping on this one. Please let me know if the proposed direction looks 
right.

Thanks,
Joan Bae

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.