From: "Charles Gonçalves" <charles.fg@gmail.com>
To: xen-devel@lists.xen.org
Subject: PV - different behavior of pgd_offset in xen 4.6 and 4.13 for GUEST ACCESSIBLE memory area
Date: Thu, 7 Oct 2021 16:10:35 +0100 [thread overview]
Message-ID: <CAAQRGoBQZ4mMWy2ibectwbN85oWvgcwus2rwO23u7BA7JWbf+A@mail.gmail.com> (raw)
Hello Guys,
During some experiments in my PhD I've tried to reused a code from
Jann Horn (https://bugs.chromium.org/p/project-zero/issues/detail?id=1184
) that used the mapping in
```
0xffff804000000000 - 0xffff807fffffffff [256GB, 2^38 bytes, PML4:256]
Reserved for future shared info with the guest OS (GUEST ACCESSIBLE)
```
to map some temporary page table data to be able to attack the system.
This used to work on Xen 4.6:
```
#define MY_SECOND_AREA 0xffff804000000000ULL
printk("PML4 entry: 0x%lx\n", (unsigned
long)pgd_val(*pgd_offset(current->mm, MY_SECOND_AREA)));
```
In xen 4.6 :
`[ 3632.620105] PML4 entry: 0x183d125067 `
Returns a valid PGD ( pgd_present(*pdg) == true )
but has different behavior in Xen 4.13 (despite no change in the
asm-x86/config.h .
In xen 4.13:
`[70386.796119] PML4 entry: 0x800000021a445025`
Return a bad PGD ( pgd_bad(*pdg) == true )
I could not find any reference on the branch RELEASE-4.13.0 of why
this happens this way.
Any hint of what is happening here?
Has Xen changed the way it handles memory from regions in range
0xffff804000000000 - 0xffff807fffffffff across those versions?
I'm running on intel x64, on paravirtualization mode, the only
difference in the system is the xen version.
Atenciosamente,
Charles Ferreira Gonçalves
next reply other threads:[~2021-10-07 15:11 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-07 15:10 Charles Gonçalves [this message]
2021-10-08 9:30 ` PV - different behavior of pgd_offset in xen 4.6 and 4.13 for GUEST ACCESSIBLE memory area Jan Beulich
2021-10-08 9:36 ` Charles Gonçalves
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAQRGoBQZ4mMWy2ibectwbN85oWvgcwus2rwO23u7BA7JWbf+A@mail.gmail.com \
--to=charles.fg@gmail.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.