From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Campbell <ian.campbell@citrix.com>
Subject: Re: [PATCH V13 3/7] xen/arm: Allow hypervisor access to
 mem_access protected pages
Date: Thu, 12 Mar 2015 15:56:24 +0000
Message-ID: <1426175784.32572.27.camel@citrix.com>
References: <1425677073-13729-1-git-send-email-tklengyel@sec.in.tum.de>
	<1425677073-13729-4-git-send-email-tklengyel@sec.in.tum.de>
	<55019996.9050208@linaro.org>
	<CABfawh=HiWTwOno7WqPTd1BVYq1tz4Jy00Y_k5AHT3zj81rkJQ@mail.gmail.com>
	<5501A831.6010009@linaro.org> <1426174055.32572.10.camel@citrix.com>
	<5501B376.20108@linaro.org>
	<CABfawhmHDdzs_a52zZcyiDewt8hSf3hRLc+++_590kyuOcRP=Q@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <CABfawhmHDdzs_a52zZcyiDewt8hSf3hRLc+++_590kyuOcRP=Q@mail.gmail.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Tamas K Lengyel <tklengyel@sec.in.tum.de>
Cc: wei.liu2@citrix.com, Stefano Stabellini <stefano.stabellini@eu.citrix.com>, Ian Jackson <ian.jackson@eu.citrix.com>, Julien Grall <julien.grall@linaro.org>, Tim Deegan <tim@xen.org>, xen-devel@lists.xen.org, stefano.stabellini@citrix.com, Jan Beulich <jbeulich@suse.com>, Keir Fraser <keir@xen.org>
List-Id: xen-devel@lists.xenproject.org

On Thu, 2015-03-12 at 16:44 +0100, Tamas K Lengyel wrote:
> 
> 
> On Thu, Mar 12, 2015 at 4:40 PM, Julien Grall
> <julien.grall@linaro.org> wrote:
>         Hi Ian,
>         
>         On 12/03/15 15:27, Ian Campbell wrote:
>         >> Currently, check_type_get_page emulate only the check for
>         2). So you may
>         >> end up to allow Xen writing in read-only mapping (from the
>         Stage 1 POV).
>         >> This was XSA-98.
>         >
>         > XSA-98 was purely about stage-2 permissions (e.g. read-only
>         grants). The
>         > fact that the resulting patch also checks stage-1
>         permissions is not a
>         > security property AFAICT.
>         
>         XSA-98 was for both... Without checking stage-1 permission a
>         userspace
>         which can issue an hypercall may be able to write into
>         read-only kernel
>         space. Whoops.
> 
> 
> Userspace is able to issue hypercall?

Via ioctls on /proc/xen/privcmd, yes. It's how the toolstack talks to
Xen...