From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: Jan Beulich <JBeulich@suse.com>, Tiejun Chen <tiejun.chen@intel.com>
Cc: kevin.tian@intel.com, wei.liu2@citrix.com,
ian.campbell@citrix.com, stefano.stabellini@eu.citrix.com,
tim@xen.org, ian.jackson@eu.citrix.com, xen-devel@lists.xen.org,
yang.z.zhang@intel.com
Subject: Re: [v8][PATCH 03/17] introduce XENMEM_reserved_device_memory_map
Date: Mon, 08 Dec 2014 11:45:45 -0500 [thread overview]
Message-ID: <5485D5B9.60303@tycho.nsa.gov> (raw)
In-Reply-To: <548584C9020000780004DAB2@mail.emea.novell.com>
On 12/08/2014 05:00 AM, Jan Beulich wrote:
>>>> On 08.12.14 at 07:17, <tiejun.chen@intel.com> wrote:
>> On 2014/12/3 3:47, Konrad Rzeszutek Wilk wrote:
>>> On Mon, Dec 01, 2014 at 05:24:21PM +0800, Tiejun Chen wrote:
>>>> @@ -1101,6 +1129,29 @@ long do_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
>>>> break;
>>>> }
>>>>
>>>> +#ifdef HAS_PASSTHROUGH
>>>> + case XENMEM_reserved_device_memory_map:
>>>> + {
>>>> + struct get_reserved_device_memory grdm;
>>>> +
>>>> + if ( copy_from_guest(&grdm.map, arg, 1) ||
>>>> + !guest_handle_okay(grdm.map.buffer, grdm.map.nr_entries) )
>>>> + return -EFAULT;
>>>> +
>>>
>>> Shouldn't there be an XSM check here?
>>
>> I'm not sure, and Jan should be the author for this patch, so Jan can
>> give you a correct reply.
>
> Hmm, not sure: Daniel, does an operation like this need an XSM
> check? It's not clear whether the absence of such a check in e.g.
> the handling of XENMEM_memory_map, XENMEM_machphys_mapping,
> or XENMEM_maximum_ram_page is intentional (and can be used as
> justification for it to be absent here too - after all the operation is for
> a domain to find out information about only itself).
>
> Jan
I can see a possible reason why an XSM check might be needed here, but
I'm not sufficiently clear on what reserved device memory is to tell
for sure. My best guess is that it is not needed.
From my reading of this patchset, this hypercall just identifies regions
of memory that are reserved, similar to exposing the host's e820 map to a
guest. That seems similar enough to the other XENMEM_* leaks that it is
acceptable to also allow it. If there is a reason that it would be useful
to hide this, adding hooks to all these locations so that only domains
that use passthrough devices (and therefore need to know about the host
system's memory) will have access is probably the best option.
If a guest who has control of a passthrough device can cause these
reserved ranges to change, then there may be reason to prevent others
from querying them, but that doesn't appear to be the case here.
--
Daniel De Graaf
National Security Agency
next prev parent reply other threads:[~2014-12-08 16:45 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-01 9:24 [v8][PATCH 00/17] xen: RMRR fix Tiejun Chen
2014-12-01 9:24 ` [v8][PATCH 01/17] tools/hvmloader: link errno.h from xen internal Tiejun Chen
2014-12-01 9:24 ` [v8][PATCH 02/17] introduce XEN_DOMCTL_set_rdm Tiejun Chen
2014-12-02 8:33 ` Tian, Kevin
2014-12-08 1:30 ` Chen, Tiejun
2014-12-02 19:39 ` Konrad Rzeszutek Wilk
2014-12-08 3:16 ` Chen, Tiejun
2014-12-08 15:57 ` Konrad Rzeszutek Wilk
2014-12-09 1:06 ` Chen, Tiejun
2014-12-09 8:33 ` Jan Beulich
2014-12-09 16:36 ` Konrad Rzeszutek Wilk
2014-12-04 15:33 ` Jan Beulich
2014-12-05 6:13 ` Tian, Kevin
2014-12-08 6:06 ` Chen, Tiejun
2014-12-08 8:43 ` Jan Beulich
2014-12-09 2:38 ` Chen, Tiejun
2014-12-09 7:29 ` Jan Beulich
2014-12-01 9:24 ` [v8][PATCH 03/17] introduce XENMEM_reserved_device_memory_map Tiejun Chen
2014-12-02 19:47 ` Konrad Rzeszutek Wilk
2014-12-08 6:17 ` Chen, Tiejun
2014-12-08 10:00 ` Jan Beulich
2014-12-08 16:45 ` Daniel De Graaf [this message]
2014-12-08 16:54 ` Jan Beulich
2014-12-01 9:24 ` [v8][PATCH 04/17] update the existing hypercall to support XEN_DOMCTL_set_rdm Tiejun Chen
2014-12-02 8:46 ` Tian, Kevin
2014-12-08 6:22 ` Chen, Tiejun
2014-12-04 15:50 ` Jan Beulich
2014-12-08 7:11 ` Chen, Tiejun
2014-12-08 8:51 ` Jan Beulich
2014-12-09 7:47 ` Chen, Tiejun
2014-12-09 8:19 ` Jan Beulich
2014-12-09 9:12 ` Chen, Tiejun
2014-12-09 9:21 ` Jan Beulich
2014-12-09 9:35 ` Chen, Tiejun
2014-12-09 10:11 ` Tim Deegan
2014-12-09 10:22 ` Jan Beulich
2014-12-10 1:59 ` Chen, Tiejun
2014-12-10 20:21 ` Konrad Rzeszutek Wilk
2014-12-10 3:39 ` Tian, Kevin
2014-12-10 9:01 ` Jan Beulich
2014-12-10 9:57 ` Tian, Kevin
2014-12-10 11:12 ` Tim Deegan
2014-12-11 2:03 ` Tian, Kevin
2014-12-11 13:09 ` Tim Deegan
2014-12-18 16:13 ` Tim Deegan
2014-12-19 1:03 ` Chen, Tiejun
2014-12-01 9:24 ` [v8][PATCH 05/17] tools/libxc: introduce hypercall for xc_reserved_device_memory_map Tiejun Chen
2014-12-02 8:46 ` Tian, Kevin
2014-12-02 19:50 ` Konrad Rzeszutek Wilk
2014-12-08 7:25 ` Chen, Tiejun
2014-12-08 15:52 ` Konrad Rzeszutek Wilk
2014-12-01 9:24 ` [v8][PATCH 06/17] tools/libxc: check if modules space is overlapping with reserved device memory Tiejun Chen
2014-12-02 8:54 ` Tian, Kevin
2014-12-02 19:55 ` Konrad Rzeszutek Wilk
2014-12-08 7:49 ` Chen, Tiejun
2014-12-01 9:24 ` [v8][PATCH 07/17] hvmloader/util: get reserved device memory maps Tiejun Chen
2014-12-02 8:59 ` Tian, Kevin
2014-12-08 7:55 ` Chen, Tiejun
2014-12-02 20:01 ` Konrad Rzeszutek Wilk
2014-12-08 8:09 ` Chen, Tiejun
2014-12-08 8:45 ` Chen, Tiejun
2014-12-04 15:52 ` Jan Beulich
2014-12-08 8:52 ` Chen, Tiejun
2014-12-08 9:18 ` Jan Beulich
2014-12-01 9:24 ` [v8][PATCH 08/17] hvmloader/mmio: reconcile guest mmio with reserved device memory Tiejun Chen
2014-12-02 9:11 ` Tian, Kevin
2014-12-08 9:04 ` Chen, Tiejun
2014-12-04 16:04 ` Jan Beulich
2014-12-08 9:10 ` Chen, Tiejun
2014-12-01 9:24 ` [v8][PATCH 09/17] hvmloader/ram: check if guest memory is out of reserved device memory maps Tiejun Chen
2014-12-02 9:42 ` Tian, Kevin
2014-12-02 20:17 ` Konrad Rzeszutek Wilk
2014-12-04 16:20 ` Jan Beulich
2014-12-05 6:23 ` Tian, Kevin
2014-12-05 7:43 ` Jan Beulich
2014-12-01 9:24 ` [v8][PATCH 10/17] hvmloader/mem_hole_alloc: skip any overlap with reserved device memory Tiejun Chen
2014-12-02 9:48 ` Tian, Kevin
2014-12-02 20:23 ` Konrad Rzeszutek Wilk
2014-12-04 16:28 ` Jan Beulich
2014-12-05 6:24 ` Tian, Kevin
2014-12-05 7:46 ` Jan Beulich
2014-12-01 9:24 ` [v8][PATCH 11/17] xen/x86/p2m: reject populating for reserved device memory mapping Tiejun Chen
2014-12-02 9:57 ` Tian, Kevin
2014-12-04 16:42 ` Jan Beulich
2014-12-01 9:24 ` [v8][PATCH 12/17] xen/x86/ept: handle reserved device memory in ept_handle_violation Tiejun Chen
2014-12-02 9:59 ` Tian, Kevin
2014-12-02 20:26 ` Konrad Rzeszutek Wilk
2014-12-04 16:46 ` Jan Beulich
2014-12-01 9:24 ` [v8][PATCH 13/17] xen/mem_access: don't allow accessing reserved device memory Tiejun Chen
2014-12-02 14:54 ` Julien Grall
2014-12-18 22:56 ` Tamas K Lengyel
2014-12-02 20:27 ` Konrad Rzeszutek Wilk
2014-12-04 16:51 ` Jan Beulich
2014-12-01 9:24 ` [v8][PATCH 14/17] xen/x86/p2m: introduce set_identity_p2m_entry Tiejun Chen
2014-12-02 10:00 ` Tian, Kevin
2014-12-02 20:29 ` Konrad Rzeszutek Wilk
2014-12-01 9:24 ` [v8][PATCH 15/17] xen:vtd: create RMRR mapping Tiejun Chen
2014-12-02 10:02 ` Tian, Kevin
2014-12-02 20:30 ` Konrad Rzeszutek Wilk
2014-12-01 9:24 ` [v8][PATCH 16/17] xen/vtd: group assigned device with RMRR Tiejun Chen
2014-12-02 10:11 ` Tian, Kevin
2014-12-02 20:40 ` Konrad Rzeszutek Wilk
2014-12-04 17:05 ` Jan Beulich
2014-12-01 9:24 ` [v8][PATCH 17/17] xen/vtd: re-enable USB device assignment if enable pci_force Tiejun Chen
2014-12-05 16:12 ` Konrad Rzeszutek Wilk
2014-12-02 19:17 ` [v8][PATCH 00/17] xen: RMRR fix Konrad Rzeszutek Wilk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5485D5B9.60303@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=JBeulich@suse.com \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=kevin.tian@intel.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=tiejun.chen@intel.com \
--cc=tim@xen.org \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
--cc=yang.z.zhang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.