From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Grall Subject: Re: [PATCH V13 3/7] xen/arm: Allow hypervisor access to mem_access protected pages Date: Thu, 12 Mar 2015 15:40:38 +0000 Message-ID: <5501B376.20108@linaro.org> References: <1425677073-13729-1-git-send-email-tklengyel@sec.in.tum.de> <1425677073-13729-4-git-send-email-tklengyel@sec.in.tum.de> <55019996.9050208@linaro.org> <5501A831.6010009@linaro.org> <1426174055.32572.10.camel@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1426174055.32572.10.camel@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Campbell Cc: wei.liu2@citrix.com, Stefano Stabellini , Tim Deegan , Ian Jackson , xen-devel@lists.xen.org, stefano.stabellini@citrix.com, Jan Beulich , Keir Fraser , Tamas K Lengyel List-Id: xen-devel@lists.xenproject.org Hi Ian, On 12/03/15 15:27, Ian Campbell wrote: >> Currently, check_type_get_page emulate only the check for 2). So you may >> end up to allow Xen writing in read-only mapping (from the Stage 1 POV). >> This was XSA-98. > > XSA-98 was purely about stage-2 permissions (e.g. read-only grants). The > fact that the resulting patch also checks stage-1 permissions is not a > security property AFAICT. XSA-98 was for both... Without checking stage-1 permission a userspace which can issue an hypercall may be able to write into read-only kernel space. Whoops. Though it doesn't every possibility... Regards, -- Julien Grall