From: Ian Campbell <Ian.Campbell@citrix.com>
To: xen-devel <xen-devel@lists.xen.org>
Cc: Julien Grall <julien.grall@citrix.com>, Tim Deegan <tim@xen.org>,
Stefano Stabellini <stefano.stabellini@citrix.com>
Subject: Re: [RFC PATCH 0/9] xen: arm: reenable support for 32-bit userspace running in 64-bit guest.
Date: Tue, 9 Sep 2014 17:23:33 +0100 [thread overview]
Message-ID: <1410279813.8217.239.camel@kazak.uk.xensource.com> (raw)
In-Reply-To: <1410279730.8217.238.camel@kazak.uk.xensource.com>
On Tue, 2014-09-09 at 17:22 +0100, Ian Campbell wrote:
Not sure why I put RFC in the subject here, it's not, it's an actual
submission of patches.
> XSA-102/CVE-2014-5147[0] concerned a crash when trapping from 32-bit
> userspace in a 64-bit guest. Part of that security patch was c0020e09970
> "xen: arm: Handle traps from 32-bit userspace on 64-bit kernel as undef
> fix" which turned the exploitable crash into a #undef to the guest (so
> as to kill the process but not the host) as a workaround for the issue.
>
> However while this prevented the exploit it did not make 32-bit
> userspaces which were prone to triggering the issue actually work.
>
> This series consists of some patches which I originally wrote for
> XSA-102 to fix the issue properly before it was determined that those
> fixes were too invasive by far for a security update. At the end of the
> series is a new patch which removes the XSA-102 workaround since all
> problematic traps should now be handled.
>
> Since these were originally intended to be the security fix they have
> had a fair bit of scrutiny already in private . However since there is
> now a risk of reintroducing XSA-102 I would appreciate a pretty thorough
> second pair of eyes on it this time around.
>
> I've tested this with a local utility which tries to access the various
> cp and system registers from both 32- and 64-bit processes and checks
> that they either work or give the expected traps. Since this tool is
> effectively an exploit for XSA-102 I'm not sharing here but if you ask
> nicely and appear to be wearing the correct colour hat I might share it
> with you (it's not terribly impressive, so don't get too excited).
>
> I've also successfully booted the VM which originally caused XSA-102 to
> be discovered (FSO successfully, since the VM image appears to be
> broken, but it no longer crashes for 32-on-64 reasons...)
>
> Ian.
>
> [0] http://xenbits.xen.org/xsa/advisory-102.html
prev parent reply other threads:[~2014-09-09 16:23 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-09 16:22 [RFC PATCH 0/9] xen: arm: reenable support for 32-bit userspace running in 64-bit guest Ian Campbell
2014-09-09 16:23 ` [PATCH 1/9] xen: arm: Correct PMXEV cp register definitions Ian Campbell
2014-09-09 23:04 ` Julien Grall
2014-09-09 16:23 ` [PATCH 2/9] xen: arm: Factor out psr_mode_is_user Ian Campbell
2014-09-09 23:08 ` Julien Grall
2014-09-09 16:23 ` [PATCH 3/9] xen: arm: Handle 32-bit EL0 on 64-bit EL1 when advancing PC after trap Ian Campbell
2014-09-09 23:12 ` Julien Grall
2014-09-09 16:23 ` [PATCH 4/9] xen: arm: turn vtimer traps for cp32/64 and sysreg into #undef Ian Campbell
2014-09-09 23:31 ` Julien Grall
2014-09-10 9:46 ` Ian Campbell
2014-09-10 18:54 ` Julien Grall
2014-09-11 8:43 ` Ian Campbell
2015-01-14 16:33 ` Ian Campbell
2015-01-14 16:57 ` Julien Grall
2015-01-15 10:26 ` Ian Campbell
2015-01-15 12:27 ` Julien Grall
2015-01-15 12:35 ` Ian Campbell
2014-09-09 16:23 ` [PATCH 5/9] xen: arm: Handle CP15 register traps from userspace Ian Campbell
2014-09-09 23:42 ` Julien Grall
2014-09-10 9:48 ` Ian Campbell
2014-09-10 18:56 ` Julien Grall
2014-09-18 1:31 ` Ian Campbell
2014-09-09 16:23 ` [PATCH 6/9] xen: arm: Handle CP14 32-bit register accesses " Ian Campbell
2014-09-09 23:45 ` Julien Grall
2014-09-10 9:48 ` Ian Campbell
2015-02-10 3:40 ` Ian Campbell
2015-02-10 4:14 ` Julien Grall
2014-09-09 16:23 ` [PATCH 7/9] xen: arm: correctly handle sysreg " Ian Campbell
2014-09-09 16:23 ` [PATCH 8/9] xen: arm: handle remaining traps " Ian Campbell
2014-09-09 16:23 ` [PATCH 9/9] xen: arm: Allow traps from 32 bit userspace on 64 bit hypervisors again Ian Campbell
2014-09-09 16:23 ` Ian Campbell [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1410279813.8217.239.camel@kazak.uk.xensource.com \
--to=ian.campbell@citrix.com \
--cc=julien.grall@citrix.com \
--cc=stefano.stabellini@citrix.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.