All of lore.kernel.org
 help / color / mirror / Atom feed
* Writing to arbritary cannonical addresses
@ 2021-04-20 16:13 Charles Gonçalves
  2021-04-20 18:05 ` Andrew Cooper
  0 siblings, 1 reply; 3+ messages in thread
From: Charles Gonçalves @ 2021-04-20 16:13 UTC (permalink / raw)
  To: xen-devel

[-- Attachment #1: Type: text/plain, Size: 609 bytes --]

Hello Guys,

I'm trying to reproduce old exploit behaviors in a simplistic way:  create
an hypercall to write a buffer to a specific MFN.

At first, I thought that updating an l1 page in a valid VA in guest kernel
space would do the trick.
But for addresses outside the  Guest-defined use (0x0000000000000000 -
0x00007fffffffffff ) is a no go!
I get a page fault with  'reserved bit in page table' warning message.

Now I'm trying to write to the address inside the hypervisor code, but not
sure how to do it.

Any comments or tips on this?


Atenciosamente,
*Charles Ferreira Gonçalves *

[-- Attachment #2: Type: text/html, Size: 1001 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Writing to arbritary cannonical addresses
  2021-04-20 16:13 Writing to arbritary cannonical addresses Charles Gonçalves
@ 2021-04-20 18:05 ` Andrew Cooper
  2021-04-20 22:00   ` Charles Gonçalves
  0 siblings, 1 reply; 3+ messages in thread
From: Andrew Cooper @ 2021-04-20 18:05 UTC (permalink / raw)
  To: Charles Gonçalves, xen-devel

On 20/04/2021 17:13, Charles Gonçalves wrote:
> Hello Guys,
>
> I'm trying to reproduce old exploit behaviors in a simplistic way: 
> create an hypercall to write a buffer to a specific MFN. 
>
> At first, I thought that updating an l1 page in a valid VA in guest
> kernel space would do the trick. 
> But for addresses outside the  Guest-defined use (0x0000000000000000 -
> 0x00007fffffffffff ) is a no go! 
> I get a page fault with  'reserved bit in page table' warning message.
>
> Now I'm trying to write to the address inside the hypervisor code, but
> not sure how to do it.  
>
> Any comments or tips on this?

So you're looking to add a hypercall to make arbitrary unaudited changes
to arbitrary memory, to simulate past security issues?

If you're seeing "Reserved bit in page table" then you've managed to
corrupt a pagetable entry somehow.  Xen doesn't write any reserved bits
(which it doesn't know how to interpret).

I'm afraid that if you want any further help with this specific failure,
you're going to have to post your changes to Xen somewhere.  pastebin,
or a pointer to a git branch, or whatever, but my divination skills
aren't great...

~Andrew



^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Writing to arbritary cannonical addresses
  2021-04-20 18:05 ` Andrew Cooper
@ 2021-04-20 22:00   ` Charles Gonçalves
  0 siblings, 0 replies; 3+ messages in thread
From: Charles Gonçalves @ 2021-04-20 22:00 UTC (permalink / raw)
  To: Andrew Cooper; +Cc: xen-devel

[-- Attachment #1: Type: text/plain, Size: 1955 bytes --]

Thanks again Andrew, ...

My initial idea was to allocate a frame on kernel space and change the
update_va_mapping to "forcibly" write the desired MFN as the l1 page table
and return the va.

You can see what I did here:
https://github.com/charlesfg/xen/blob/5755f0752bd50891942768bf99898bbc8f7eac82/xen/arch/x86/mm.c#L4539

Basically, I assume the fast path and for the UPDATE_ENTRY
https://github.com/charlesfg/xen/blob/5755f0752bd50891942768bf99898bbc8f7eac82/xen/arch/x86/mm.c#L2184


Any help on this would be greatly appreciated  :)


Atenciosamente,
*Charles Ferreira Gonçalves *




On Tue, Apr 20, 2021 at 7:05 PM Andrew Cooper <andrew.cooper3@citrix.com>
wrote:

> On 20/04/2021 17:13, Charles Gonçalves wrote:
> > Hello Guys,
> >
> > I'm trying to reproduce old exploit behaviors in a simplistic way:
> > create an hypercall to write a buffer to a specific MFN.
> >
> > At first, I thought that updating an l1 page in a valid VA in guest
> > kernel space would do the trick.
> > But for addresses outside the  Guest-defined use (0x0000000000000000 -
> > 0x00007fffffffffff ) is a no go!
> > I get a page fault with  'reserved bit in page table' warning message.
> >
> > Now I'm trying to write to the address inside the hypervisor code, but
> > not sure how to do it.
> >
> > Any comments or tips on this?
>
> So you're looking to add a hypercall to make arbitrary unaudited changes
> to arbitrary memory, to simulate past security issues?
>
> If you're seeing "Reserved bit in page table" then you've managed to
> corrupt a pagetable entry somehow.  Xen doesn't write any reserved bits
> (which it doesn't know how to interpret).
>
> I'm afraid that if you want any further help with this specific failure,
> you're going to have to post your changes to Xen somewhere.  pastebin,
> or a pointer to a git branch, or whatever, but my divination skills
> aren't great...
>
> ~Andrew
>
>

[-- Attachment #2: Type: text/html, Size: 3001 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-20 22:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-20 16:13 Writing to arbritary cannonical addresses Charles Gonçalves
2021-04-20 18:05 ` Andrew Cooper
2021-04-20 22:00   ` Charles Gonçalves

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.