Re: [PATCH] tools/ioemu: Fixing Security Hole in Qemu MSIX table access management

From: "Jan Beulich" <JBeulich@novell.com>
To: Ian Jackson <Ian.Jackson@eu.citrix.com>
Cc: xen-devel@lists.xensource.com, TimDeegan <Tim.Deegan@citrix.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Donald D Dugger <donald.d.dugger@intel.com>,
	Keir Fraser <keir.fraser@eu.citrix.com>,
	Haitao Shan <maillists.shan@gmail.com>
Subject: Re: [PATCH] tools/ioemu: Fixing Security Hole in Qemu MSIX table access management
Date: Thu, 25 Aug 2011 12:55:02 +0100	[thread overview]
Message-ID: <4E565436020000780005336A@nat28.tlf.novell.com> (raw)
In-Reply-To: <20054.11440.90844.633430@mariner.uk.xensource.com>

>>> On 25.08.11 at 13:06, Ian Jackson <Ian.Jackson@eu.citrix.com> wrote:
> Haitao Shan writes ("[Xen-devel] [PATCH] tools/ioemu: Fixing Security Hole in 
> Qemu MSIX table access management"):
>> As reported by Jan, current Qemu does not handle MSIX table mapping 
> properly.
>> 
>> Details:
>> 
>> MSI-X table resides in one of the physical BARs. When Qemu handles
>> guest's changes to BAR register (within which, MSI-X table resides),
>> Qemu first allows access of the whole BAR MMIO ranges and then removes
>> those of MSI-X. There is a small window here. It is possible that on a
>> SMP guests one vcpu could have access to the physical MSI-X
>> configurations when another vcpu is writing BAR registers.
>> 
>> The patch fixes this issue by first producing the valid MMIO ranges by
>> removing MSI-X table's range from the whole BAR mmio range and later
>> passing these ranges to Xen.
> 
> I'm afraid it wasn't clear to me what the consensus was on the status
> of the attached patch, and I'm not very familiar with the code.

Afaict, the change here removes only the smallest part of problem: Xen
already forces any mapping attempts of the MSI-X table by DomU-s to
be read-only once the respective MSI gets set up, so the window during
which the guest has full access exists only before any MSI gets set up.

> Also, if this is a security problem we should really issue an advisory...

In a larger round on one of the BOFs on the summit we agreed there is
an issue in that the way it currently works, qemu's (on behalf of and
exclusively driven by the guest) direct writing to the mask bit represents
a security problem, since Xen itself needs to be able to force interrupts
masked during certain operations (move_native_irq(), IRQ rate limiting,
2nd instance of already pending guest IRQ, and fixup_irq()), and
failure here would potentially affect the whole system.

My (limited) understanding of qemu-kvm's dealing with that is that they
hide the physical mask bit from the guest altogether, which works
presumably because during normal operation the bit never gets fiddled
with (but in polling mode some network drivers do make use of it, and
I'd expect that not to work under KVM, unless my reading of their
sources was wrong).

Jan