* Writing to arbritary cannonical addresses
@ 2021-04-20 16:13 Charles Gonçalves
2021-04-20 18:05 ` Andrew Cooper
0 siblings, 1 reply; 3+ messages in thread
From: Charles Gonçalves @ 2021-04-20 16:13 UTC (permalink / raw)
To: xen-devel
[-- Attachment #1: Type: text/plain, Size: 609 bytes --]
Hello Guys,
I'm trying to reproduce old exploit behaviors in a simplistic way: create
an hypercall to write a buffer to a specific MFN.
At first, I thought that updating an l1 page in a valid VA in guest kernel
space would do the trick.
But for addresses outside the Guest-defined use (0x0000000000000000 -
0x00007fffffffffff ) is a no go!
I get a page fault with 'reserved bit in page table' warning message.
Now I'm trying to write to the address inside the hypervisor code, but not
sure how to do it.
Any comments or tips on this?
Atenciosamente,
*Charles Ferreira Gonçalves *
[-- Attachment #2: Type: text/html, Size: 1001 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Writing to arbritary cannonical addresses
2021-04-20 16:13 Writing to arbritary cannonical addresses Charles Gonçalves
@ 2021-04-20 18:05 ` Andrew Cooper
2021-04-20 22:00 ` Charles Gonçalves
0 siblings, 1 reply; 3+ messages in thread
From: Andrew Cooper @ 2021-04-20 18:05 UTC (permalink / raw)
To: Charles Gonçalves, xen-devel
On 20/04/2021 17:13, Charles Gonçalves wrote:
> Hello Guys,
>
> I'm trying to reproduce old exploit behaviors in a simplistic way:
> create an hypercall to write a buffer to a specific MFN.
>
> At first, I thought that updating an l1 page in a valid VA in guest
> kernel space would do the trick.
> But for addresses outside the Guest-defined use (0x0000000000000000 -
> 0x00007fffffffffff ) is a no go!
> I get a page fault with 'reserved bit in page table' warning message.
>
> Now I'm trying to write to the address inside the hypervisor code, but
> not sure how to do it.
>
> Any comments or tips on this?
So you're looking to add a hypercall to make arbitrary unaudited changes
to arbitrary memory, to simulate past security issues?
If you're seeing "Reserved bit in page table" then you've managed to
corrupt a pagetable entry somehow. Xen doesn't write any reserved bits
(which it doesn't know how to interpret).
I'm afraid that if you want any further help with this specific failure,
you're going to have to post your changes to Xen somewhere. pastebin,
or a pointer to a git branch, or whatever, but my divination skills
aren't great...
~Andrew
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Writing to arbritary cannonical addresses
2021-04-20 18:05 ` Andrew Cooper
@ 2021-04-20 22:00 ` Charles Gonçalves
0 siblings, 0 replies; 3+ messages in thread
From: Charles Gonçalves @ 2021-04-20 22:00 UTC (permalink / raw)
To: Andrew Cooper; +Cc: xen-devel
[-- Attachment #1: Type: text/plain, Size: 1955 bytes --]
Thanks again Andrew, ...
My initial idea was to allocate a frame on kernel space and change the
update_va_mapping to "forcibly" write the desired MFN as the l1 page table
and return the va.
You can see what I did here:
https://github.com/charlesfg/xen/blob/5755f0752bd50891942768bf99898bbc8f7eac82/xen/arch/x86/mm.c#L4539
Basically, I assume the fast path and for the UPDATE_ENTRY
https://github.com/charlesfg/xen/blob/5755f0752bd50891942768bf99898bbc8f7eac82/xen/arch/x86/mm.c#L2184
Any help on this would be greatly appreciated :)
Atenciosamente,
*Charles Ferreira Gonçalves *
On Tue, Apr 20, 2021 at 7:05 PM Andrew Cooper <andrew.cooper3@citrix.com>
wrote:
> On 20/04/2021 17:13, Charles Gonçalves wrote:
> > Hello Guys,
> >
> > I'm trying to reproduce old exploit behaviors in a simplistic way:
> > create an hypercall to write a buffer to a specific MFN.
> >
> > At first, I thought that updating an l1 page in a valid VA in guest
> > kernel space would do the trick.
> > But for addresses outside the Guest-defined use (0x0000000000000000 -
> > 0x00007fffffffffff ) is a no go!
> > I get a page fault with 'reserved bit in page table' warning message.
> >
> > Now I'm trying to write to the address inside the hypervisor code, but
> > not sure how to do it.
> >
> > Any comments or tips on this?
>
> So you're looking to add a hypercall to make arbitrary unaudited changes
> to arbitrary memory, to simulate past security issues?
>
> If you're seeing "Reserved bit in page table" then you've managed to
> corrupt a pagetable entry somehow. Xen doesn't write any reserved bits
> (which it doesn't know how to interpret).
>
> I'm afraid that if you want any further help with this specific failure,
> you're going to have to post your changes to Xen somewhere. pastebin,
> or a pointer to a git branch, or whatever, but my divination skills
> aren't great...
>
> ~Andrew
>
>
[-- Attachment #2: Type: text/html, Size: 3001 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-20 22:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-20 16:13 Writing to arbritary cannonical addresses Charles Gonçalves
2021-04-20 18:05 ` Andrew Cooper
2021-04-20 22:00 ` Charles Gonçalves
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).