From: Tamas K Lengyel <tamas@tklengyel.com>
To: Razvan Cojocaru <rcojocaru@bitdefender.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>
Subject: Re: Ubuntu 16.04.1 LTS kernel 4.4.0-57 over-allocation and xen-access fail
Date: Tue, 10 Jan 2017 09:40:59 -0700 [thread overview]
Message-ID: <CABfawhmri96B6JxVXpNrJU+SuSqMrMmNBcVaemX1f_RbU42GdQ@mail.gmail.com> (raw)
In-Reply-To: <d64ed1d7-33ce-1448-6eac-bdc0f9c4fd66@bitdefender.com>
[-- Attachment #1.1: Type: text/plain, Size: 3745 bytes --]
On Tue, Jan 10, 2017 at 9:34 AM, Razvan Cojocaru <rcojocaru@bitdefender.com>
wrote:
> On 01/10/2017 06:29 PM, Tamas K Lengyel wrote:
> >
> >
> > On Tue, Jan 10, 2017 at 8:35 AM, Razvan Cojocaru
> > <rcojocaru@bitdefender.com <mailto:rcojocaru@bitdefender.com>> wrote:
> >
> > >>> What I meant was taking out this call:
> > >>>
> > >>> /* Remove the ring_pfn from the guest's physmap */
> > >>> rc1 = xc_domain_decrease_reservation_exact(xch, domain_id,
> 1, 0,
> > >>> &ring_pfn);
> > >>> if ( rc1 != 0 )
> > >>> PERROR("Failed to remove ring page from guest physmap");
> > >>>
> > >>> To leave the frame in the guest physmap. The issue is
> fundamentally
> > >>> that after this frame has been taken out, something kicks the VM
> to
> > >>> realise it has an extra frame of balloonable space, which it
> clearly
> > >>> compensates for.
> > >>>
> > >>> You can work around the added attack surface by marking it RO in
> > EPT;
> > >>> neither Xen's nor dom0's mappings are translated via EPT, so
> > they can
> > >>> still make updates, but the guest won't be able to write to it.
> > >>>
> > >>> I should say that this is all a gross hack, and is in desperate
> > need of
> > >>> a proper API to make rings entirely outside of the gfn space,
> > but this
> > >>> hack should work for now.
> > >> Thanks! So far, it seems to work like a charm like this:
> > >
> > > Great.
> > >
> > >>
> > >> diff --git a/tools/libxc/xc_vm_event.c b/tools/libxc/xc_vm_event.c
> > >> index 2fef96a..5dd00a6 100644
> > >> --- a/tools/libxc/xc_vm_event.c
> > >> +++ b/tools/libxc/xc_vm_event.c
> > >> @@ -130,9 +130,17 @@ void *xc_vm_event_enable(xc_interface *xch,
> > domid_t
> > >> domain_id, int param,
> > >> }
> > >>
> > >> /* Remove the ring_pfn from the guest's physmap */
> > >> + /*
> > >> rc1 = xc_domain_decrease_reservation_exact(xch, domain_id,
> 1, 0,
> > >> &ring_pfn);
> > >> if ( rc1 != 0 )
> > >> PERROR("Failed to remove ring page from guest physmap");
> > >> + */
> > >> +
> > >> + if ( xc_set_mem_access(xch, domain_id, XENMEM_access_r,
> > mmap_pfn, 1) )
> > >> + {
> > >> + PERROR("Could not set ring page read-only\n");
> > >> + goto out;
> > >> + }
> > >>
> > >> out:
> > >> saved_errno = errno;
> > >>
> > >> Should I send this as a patch for mainline as well?
> > >
> > > Probably a good idea, although I would include a code comment
> > explaining
> > > what is going on, because this is subtle if you don't know the
> > context.
> >
> > Will do, I'll send a patch out as soon as we've done a few more
> rounds
> > of testing.
> >
> >
> > (replying to all): I'm not in favor of this patch mainly because it is
> > not stealthy. A malicious kernel could easily track what events are
> > being sent on the ring. With DRAKVUF I could work around this using
> > altp2m pfn-remapping, but for other tools this is can be a serious
> > information leak.
>
> I understand your point, however the alternative is potential lack of
> availability to monitor which is arguably a more severe problem. _Any_
> guest could choose to do what this Ubuntu 16.04 guest does, and then
> connecting to the guest via vm_event can only be done once.
>
IMHO in that case you should implement your own internal version of this
function to fall back to instead of forcing all tools to go down this path.
The requirements to do that in your own tool are accessible so there is no
need to push that into libxc.
Tamas
[-- Attachment #1.2: Type: text/html, Size: 5425 bytes --]
[-- Attachment #2: Type: text/plain, Size: 127 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-01-10 16:41 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-09 11:36 Ubuntu 16.04.1 LTS kernel 4.4.0-57 over-allocation and xen-access fail Razvan Cojocaru
2017-01-09 11:52 ` Jan Beulich
2017-01-09 12:01 ` Razvan Cojocaru
2017-01-09 12:04 ` Andrew Cooper
2017-01-09 19:18 ` Tamas K Lengyel
2017-01-09 12:54 ` Andrew Cooper
2017-01-10 9:06 ` Razvan Cojocaru
2017-01-10 14:13 ` Andrew Cooper
2017-01-10 15:02 ` Razvan Cojocaru
2017-01-10 15:11 ` Andrew Cooper
2017-01-10 15:35 ` Razvan Cojocaru
2017-01-10 16:29 ` Tamas K Lengyel
2017-01-10 16:34 ` Razvan Cojocaru
2017-01-10 16:40 ` Tamas K Lengyel [this message]
2017-01-10 17:09 ` Razvan Cojocaru
2017-01-10 9:45 ` Razvan Cojocaru
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABfawhmri96B6JxVXpNrJU+SuSqMrMmNBcVaemX1f_RbU42GdQ@mail.gmail.com \
--to=tamas@tklengyel.com \
--cc=andrew.cooper3@citrix.com \
--cc=rcojocaru@bitdefender.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.