From: Avi Kivity <avi@redhat.com>
To: Glauber Costa <glommer@redhat.com>
Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH] Check for ambiguities in create alias ioctl.
Date: Thu, 13 Nov 2008 14:44:09 +0200 [thread overview]
Message-ID: <491C2119.6000107@redhat.com> (raw)
In-Reply-To: <1226586776-18999-1-git-send-email-glommer@redhat.com>
Glauber Costa wrote:
> The current alias ioctl allows for the creation of
> an alias covering a gpa that already exists. It is invalid,
> because the gpa space needs to be uniquely mapped. So, if
> there's a memory slot covering gpa range 0x123000 to 0x124000,
> and we create an alias from any gpa within that range to a different
> target, we create an essential ambiguity that brings no value at
> the cost of a lot of confusion. Right now this confusion
> manifests itself as a BUG() triggered in the rmaps code path.
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 7a2aeba..c3b5770 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -1591,6 +1591,8 @@ static int kvm_vm_ioctl_set_memory_alias(struct kvm *kvm,
> {
> int r, n;
> struct kvm_mem_alias *p;
> + gfn_t base_gfn;
> + unsigned long npages;
>
> r = -EINVAL;
> /* General sanity checks */
> @@ -1607,12 +1609,18 @@ static int kvm_vm_ioctl_set_memory_alias(struct kvm *kvm,
> < alias->target_phys_addr)
> goto out;
>
> + base_gfn = alias->guest_phys_addr >> PAGE_SHIFT;
> + npages = alias->memory_size >> PAGE_SHIFT;
> +
> + if (gfn_to_memslot(kvm, base_gfn) || gfn_to_memslot(kvm, base_gfn + npages))
> + goto out;
> +
>
This says nothing about base_gfn + 17. Moreover, we don't care if
base+gfn +npages is mapped - it's outside the half-closed alias range.
Further, a clever attacker would first establish the alias, then the
memslot, bypassing the checks. I suggest (a) extracting a function to
check for range overlap from the memslot code, (b) extending it to check
for both memslots and aliases, and (c) using it everywhere.
--
error compiling committee.c: too many arguments to function
next prev parent reply other threads:[~2008-11-13 12:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-13 14:32 [PATCH] Check for ambiguities in create alias ioctl Glauber Costa
2008-11-13 12:44 ` Avi Kivity [this message]
-- strict thread matches above, loose matches on Subject: below --
2008-11-18 3:01 Glauber Costa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=491C2119.6000107@redhat.com \
--to=avi@redhat.com \
--cc=glommer@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.