Re: [PATCH 7/7] x86/mm: Prevent 32bit PV guests using out-of-range linear addresses

From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: Xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH 7/7] x86/mm: Prevent 32bit PV guests using out-of-range linear addresses
Date: Tue, 12 Sep 2017 17:04:56 +0100	[thread overview]
Message-ID: <31181793-caa2-2002-bf0f-7cb2fb5823b0@citrix.com> (raw)
In-Reply-To: <59B81E67020000780017A511@prv-mh.provo.novell.com>

On 12/09/17 16:50, Jan Beulich wrote:
>>>> On 12.09.17 at 14:14, <andrew.cooper3@citrix.com> wrote:
>> The grant ABI uses 64 bit values, and allows a PV guest to specify linear
>> addresses.  There is nothing interesting a 32bit PV guest can reference which
>> will pass an __addr_ok() check, but it should still get an error for trying.
> While I'm all for tightening checks, I'm not sure we reasonably can:
> Existing guests may (perhaps inadvertently) rely on this behavior,
> and hence may break with the change. I think a prereq to this is to
> have a command line option (or even a per-guest one) to control
> strict vs relaxed argument checking behavior, and tie the extra
> checks to that option being true.

At the moment, any attempt to use this behaviour will still cause a
general error, because we cant locate an L1e mapping the out-of-range
linear address.  Therefore, the guest wouldn't have had the grant
operation succeed before.

The problem is that its a latent security bug if we ever chose to reuse
these ranges for other purposes.

E.g. One idea I've had for a while is to move the XLAT translation logic
into guest mode, accessed via a modification to the hypercall page. 
This would mitigate security issues such as infinite loops or boundary
overflows, both of which we've had in the XLAT logic in the past.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel