From: Julien Grall <julien.grall@arm.com>
To: Paul Durrant <Paul.Durrant@citrix.com>,
Andrew Cooper <Andrew.Cooper3@citrix.com>,
Xen-devel <xen-devel@lists.xen.org>
Cc: Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <wei.liu2@citrix.com>, Jan Beulich <JBeulich@suse.com>,
Roger Pau Monne <roger.pau@citrix.com>
Subject: Re: [PATCH 5/5] xen/ARM: Restrict access to most HVM_PARAM's
Date: Thu, 6 Sep 2018 11:36:38 +0100 [thread overview]
Message-ID: <7b4f42e4-69ae-08f6-989f-b8e111d51419@arm.com> (raw)
In-Reply-To: <a3c720bb0dec4f248402bc766112fb32@AMSPEX02CL03.citrite.net>
Hi Paul,
On 06/09/18 10:29, Paul Durrant wrote:
>> -----Original Message-----
>> From: Andrew Cooper [mailto:andrew.cooper3@citrix.com]
>> Sent: 05 September 2018 19:12
>> To: Xen-devel <xen-devel@lists.xen.org>
>> Cc: Andrew Cooper <Andrew.Cooper3@citrix.com>; Jan Beulich
>> <JBeulich@suse.com>; Wei Liu <wei.liu2@citrix.com>; Roger Pau Monne
>> <roger.pau@citrix.com>; Paul Durrant <Paul.Durrant@citrix.com>; Stefano
>> Stabellini <sstabellini@kernel.org>; Julien Grall <julien.grall@arm.com>
>> Subject: [PATCH 5/5] xen/ARM: Restrict access to most HVM_PARAM's
>>
>> ARM currently has no restrictions on toolstack and guest access to the entire
>> HVM_PARAM block. As the paging/monitor/sharing features aren't under
>> security
>> support, this doesn't need an XSA.
>>
>> The CALLBACK_IRQ and {STORE,CONSOLE}_{PFN,EVTCHN} details exposed
>> read-only to
>> the guest, while the *_RING_PFN details are restricted to only toolstack
>> access. No other parameters are used.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
>> ---
>> CC: Jan Beulich <JBeulich@suse.com>
>> CC: Wei Liu <wei.liu2@citrix.com>
>> CC: Roger Pau Monné <roger.pau@citrix.com>
>> CC: Paul Durrant <paul.durrant@citrix.com>
>> CC: Stefano Stabellini <sstabellini@kernel.org>
>> CC: Julien Grall <julien.grall@arm.com>
>>
>> This is only compile tested, and based on my reading of the source. There
>> might be other PARAMS needing including.
>> ---
>> xen/arch/arm/hvm.c | 62
>> +++++++++++++++++++++++++++++++++++++++++++++++++++---
>> 1 file changed, 59 insertions(+), 3 deletions(-)
>>
>> diff --git a/xen/arch/arm/hvm.c b/xen/arch/arm/hvm.c
>> index 76b27c9..3581ba2 100644
>> --- a/xen/arch/arm/hvm.c
>> +++ b/xen/arch/arm/hvm.c
>> @@ -31,6 +31,57 @@
>>
>> #include <asm/hypercall.h>
>>
>> +static int hvm_allow_set_param(const struct domain *d, unsigned int
>> param)
>> +{
>> + switch ( param )
>> + {
>> + /*
>> + * The following parameters are intended for toolstack usage only.
>> + * They may not be set by the domain.
>> + */
>> + case HVM_PARAM_CALLBACK_IRQ:
>> + case HVM_PARAM_STORE_PFN:
>> + case HVM_PARAM_STORE_EVTCHN:
>> + case HVM_PARAM_CONSOLE_PFN:
>> + case HVM_PARAM_CONSOLE_EVTCHN:
>
> Probably should remove the EVTCHN params from this list after fixing patch #3.
>
>> + case HVM_PARAM_PAGING_RING_PFN:
>> + case HVM_PARAM_MONITOR_RING_PFN:
>> + case HVM_PARAM_SHARING_RING_PFN:
>> + return d == current->domain ? -EPERM : 0;
>> +
>> + /* Writeable only by Xen, hole, deprecated, or out-of-range. */
>> + default:
>> + return -EINVAL;
>> + }
>> +}
>> +
>> +static int hvm_allow_get_param(const struct domain *d, unsigned int
>> param)
>> +{
>> + switch ( param )
>> + {
>> + /* The following parameters can be read by the guest and toolstack. */
>> + case HVM_PARAM_CALLBACK_IRQ:
>> + case HVM_PARAM_STORE_PFN:
>> + case HVM_PARAM_STORE_EVTCHN:
>> + case HVM_PARAM_CONSOLE_PFN:
>> + case HVM_PARAM_CONSOLE_EVTCHN:
>> + return 0;
>> +
>> + /*
>> + * The following parameters are intended for toolstack usage only.
>> + * They may not be read by the domain.
>> + */
>> + case HVM_PARAM_PAGING_RING_PFN:
>> + case HVM_PARAM_MONITOR_RING_PFN:
>> + case HVM_PARAM_SHARING_RING_PFN:
>> + return d == current->domain ? -EPERM : 0;
>> +
>> + /* Hole, deprecated, or out-of-range. */
>> + default:
>> + return -EINVAL;
>> + }
>> +}
>> +
>> long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE_PARAM(void)
>> arg)
>> {
>> long rc = 0;
>> @@ -46,9 +97,6 @@ long do_hvm_op(unsigned long op,
>> XEN_GUEST_HANDLE_PARAM(void) arg)
>> if ( copy_from_guest(&a, arg, 1) )
>> return -EFAULT;
>>
>> - if ( a.index >= HVM_NR_PARAMS )
>> - return -EINVAL;
>> -
>
> ASSERT here.
I don't think this would be correct. This is an input from the guest, so
if you do fuzzing you will end up to get an hypervisor crash rather than
returning an error.
A potential place for an ASSERT would be just before accessing
hvm.params. But then, technically the index should have been sanitized
by hvm_allow_{get,set}_param.
Cheers,
--
Julien Grall
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2018-09-06 10:36 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 18:11 [PATCH 0/5] xen: Fixes and improvements to HVM_PARAM handling Andrew Cooper
2018-09-05 18:12 ` [PATCH 1/5] x86/hvm: Switch hvm_allow_get_param() to use a whitelist Andrew Cooper
2018-09-06 8:56 ` Paul Durrant
2018-09-06 15:21 ` Andrew Cooper
2018-09-07 6:30 ` Jan Beulich
2018-09-07 8:55 ` Jan Beulich
2018-09-07 18:18 ` Andrew Cooper
2018-09-10 9:41 ` Jan Beulich
2018-09-07 15:42 ` Roger Pau Monné
2018-09-05 18:12 ` [PATCH 2/5] x86/hvm: Switch hvm_allow_set_param() " Andrew Cooper
2018-09-06 9:08 ` Paul Durrant
2018-09-06 15:27 ` Andrew Cooper
2018-09-07 16:01 ` Roger Pau Monné
2018-09-07 18:13 ` Andrew Cooper
2018-09-10 14:28 ` Roger Pau Monné
2018-09-05 18:12 ` [PATCH 3/5] x86/hvm: Make HVM_PARAM_{STORE, CONSOLE}_EVTCHN read-only to the guest Andrew Cooper
2018-09-06 9:16 ` Paul Durrant
2018-09-06 15:29 ` Andrew Cooper
2018-09-06 17:28 ` Julien Grall
2018-09-07 16:19 ` Paul Durrant
2018-09-07 16:03 ` Roger Pau Monné
2018-09-05 18:12 ` [PATCH 4/5] x86/hvm: Misc non-functional cleanup to the HVM_PARAM infrastructure Andrew Cooper
2018-09-06 9:26 ` Paul Durrant
2018-09-07 9:08 ` Jan Beulich
2018-09-07 16:23 ` Roger Pau Monné
2018-09-05 18:12 ` [PATCH 5/5] xen/ARM: Restrict access to most HVM_PARAM's Andrew Cooper
2018-09-06 9:29 ` Paul Durrant
2018-09-06 10:36 ` Julien Grall [this message]
2018-09-06 10:40 ` Andrew Cooper
2018-09-06 10:43 ` Paul Durrant
2018-09-06 10:40 ` Paul Durrant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7b4f42e4-69ae-08f6-989f-b8e111d51419@arm.com \
--to=julien.grall@arm.com \
--cc=Andrew.Cooper3@citrix.com \
--cc=JBeulich@suse.com \
--cc=Paul.Durrant@citrix.com \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.