Re: [PATCH V13 3/7] xen/arm: Allow hypervisor access to mem_access protected pages

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ian Campbell <ian.campbell@citrix.com>
To: Tamas K Lengyel <tklengyel@sec.in.tum.de>
Cc: wei.liu2@citrix.com,
	Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
	Ian Jackson <ian.jackson@eu.citrix.com>,
	Julien Grall <julien.grall@linaro.org>, Tim Deegan <tim@xen.org>,
	xen-devel@lists.xen.org, stefano.stabellini@citrix.com,
	Jan Beulich <jbeulich@suse.com>, Keir Fraser <keir@xen.org>
Subject: Re: [PATCH V13 3/7] xen/arm: Allow hypervisor access to mem_access protected pages
Date: Thu, 12 Mar 2015 16:48:33 +0000	[thread overview]
Message-ID: <1426178913.32572.58.camel@citrix.com> (raw)
In-Reply-To: <CABfawhnnap283qtVJWUwfuX0v2pGB1gqmFT28bzOG79Y88hBLg@mail.gmail.com>

On Thu, 2015-03-12 at 17:02 +0100, Tamas K Lengyel wrote:
> 
> 
> On Thu, Mar 12, 2015 at 4:56 PM, Ian Campbell
> <ian.campbell@citrix.com> wrote:
>         On Thu, 2015-03-12 at 16:44 +0100, Tamas K Lengyel wrote:
>         >
>         >
>         > On Thu, Mar 12, 2015 at 4:40 PM, Julien Grall
>         > <julien.grall@linaro.org> wrote:
>         >         Hi Ian,
>         >
>         >         On 12/03/15 15:27, Ian Campbell wrote:
>         >         >> Currently, check_type_get_page emulate only the
>         check for
>         >         2). So you may
>         >         >> end up to allow Xen writing in read-only mapping
>         (from the
>         >         Stage 1 POV).
>         >         >> This was XSA-98.
>         >         >
>         >         > XSA-98 was purely about stage-2 permissions (e.g.
>         read-only
>         >         grants). The
>         >         > fact that the resulting patch also checks stage-1
>         >         permissions is not a
>         >         > security property AFAICT.
>         >
>         >         XSA-98 was for both... Without checking stage-1
>         permission a
>         >         userspace
>         >         which can issue an hypercall may be able to write
>         into
>         >         read-only kernel
>         >         space. Whoops.
>         >
>         >
>         > Userspace is able to issue hypercall?
>         
>         
>         Via ioctls on /proc/xen/privcmd, yes. It's how the toolstack
>         talks to
>         Xen...
> 
> 
> Well, that is not the userspace issuing the hypercall, its a kernel
> module issuing the hypercall on behalf of a process ;)

But the vaddrs etc in there are userspace controlled and the kernel does
not validate them.

Ian.

next prev parent reply	other threads:[~2015-03-12 16:48 UTC|newest]

Thread overview: 71+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-06 21:24 [PATCH V13 0/7] Mem_access for ARM Tamas K Lengyel
2015-03-06 21:24 ` [PATCH V13 1/7] xen/arm: p2m changes for mem_access support Tamas K Lengyel
2015-03-11 16:07   ` Stefano Stabellini
2015-03-11 17:05     ` Tamas K Lengyel
2015-03-12 11:27   ` Ian Campbell
2015-03-12 12:22     ` Tamas K Lengyel
2015-03-12 13:53       ` Ian Campbell
2015-03-12 12:57   ` Julien Grall
2015-03-12 13:18     ` Tamas K Lengyel
2015-03-12 13:25       ` Julien Grall
2015-03-12 13:55         ` Ian Campbell
2015-03-12 13:56     ` Ian Campbell
2015-03-12 14:10       ` Andrew Cooper
2015-03-12 16:56         ` Julien Grall
2015-03-12 17:11           ` Ian Campbell
2015-03-06 21:24 ` [PATCH V13 2/7] xen/arm: Implement domain_get_maximum_gpfn Tamas K Lengyel
2015-03-11 15:43   ` Stefano Stabellini
2015-03-06 21:24 ` [PATCH V13 3/7] xen/arm: Allow hypervisor access to mem_access protected pages Tamas K Lengyel
2015-03-12 12:08   ` Ian Campbell
2015-03-12 12:31     ` Tamas K Lengyel
2015-03-12 13:24   ` Julien Grall
2015-03-12 13:38     ` Tamas K Lengyel
2015-03-12 13:43       ` Julien Grall
2015-03-12 14:33         ` Tamas K Lengyel
2015-03-12 13:50   ` Julien Grall
2015-03-12 14:13     ` Tamas K Lengyel
2015-03-12 14:52       ` Julien Grall
2015-03-12 15:27         ` Ian Campbell
2015-03-12 15:40           ` Julien Grall
2015-03-12 15:44             ` Tamas K Lengyel
2015-03-12 15:56               ` Ian Campbell
2015-03-12 16:02                 ` Tamas K Lengyel
2015-03-12 16:48                   ` Ian Campbell [this message]
2015-03-12 16:55                     ` Tamas K Lengyel
2015-03-12 15:54             ` Ian Campbell
2015-03-12 15:41           ` Tamas K Lengyel
2015-03-12 15:55             ` Ian Campbell
2015-03-12 16:10               ` Tamas K Lengyel
2015-03-06 21:24 ` [PATCH V13 4/7] xen/arm: Data abort exception (R/W) mem_events Tamas K Lengyel
2015-03-12 13:35   ` Ian Campbell
2015-03-12 15:13     ` Tamas K Lengyel
2015-03-12 15:19       ` Tamas K Lengyel
2015-03-12 15:24         ` Julien Grall
2015-03-12 15:35         ` Ian Campbell
2015-03-12 16:35           ` Julien Grall
2015-03-12 15:30       ` Ian Campbell
2015-03-12 15:13   ` Julien Grall
2015-03-12 15:26     ` Tamas K Lengyel
2015-03-12 15:37       ` Julien Grall
2015-03-12 15:46         ` Ian Campbell
2015-03-12 16:54           ` Julien Grall
2015-03-06 21:24 ` [PATCH V13 5/7] xen/arm: Instruction prefetch abort (X) mem_event handling Tamas K Lengyel
2015-03-23 14:32   ` Tamas K Lengyel
2015-03-23 15:15     ` Ian Campbell
2015-03-23 15:18       ` Ian Campbell
2015-03-23 15:47         ` Tamas K Lengyel
2015-03-23 16:22           ` Ian Campbell
2015-03-23 16:47             ` Tamas K Lengyel
2015-03-24 13:06               ` Tamas K Lengyel
2015-03-26 10:50                 ` Ian Campbell
2015-03-26 11:24                   ` Tamas K Lengyel
2015-03-26 11:53                     ` Ian Campbell
2015-03-06 21:24 ` [PATCH V13 6/7] xen/arm: Enable mem_access on ARM Tamas K Lengyel
2015-03-12 13:36   ` Ian Campbell
2015-03-12 15:19   ` Julien Grall
2015-03-12 15:43     ` Tamas K Lengyel
2015-03-06 21:24 ` [PATCH V13 7/7] tools/libxc: Allocate magic page for mem access " Tamas K Lengyel
2015-03-12 13:36   ` Ian Campbell
2015-03-12 11:30 ` [PATCH V13 0/7] Mem_access for ARM Ian Campbell
2015-03-12 12:24   ` Tamas K Lengyel
2015-03-12 13:53     ` Ian Campbell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1426178913.32572.58.camel@citrix.com \
    --to=ian.campbell@citrix.com \
    --cc=ian.jackson@eu.citrix.com \
    --cc=jbeulich@suse.com \
    --cc=julien.grall@linaro.org \
    --cc=keir@xen.org \
    --cc=stefano.stabellini@citrix.com \
    --cc=stefano.stabellini@eu.citrix.com \
    --cc=tim@xen.org \
    --cc=tklengyel@sec.in.tum.de \
    --cc=wei.liu2@citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.