From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Vrabel <david.vrabel@citrix.com>
Subject: Re: Xen Security Advisory 155 (CVE-2015-8550) -
 paravirtualized drivers incautious about shared memory
Date: Mon, 4 Jan 2016 16:22:32 +0000
Message-ID: <568A9C48.6000904@citrix.com>
References: <CAPQw5r=U+419dth5DccatJ8Ai2wVGMavFLSFX4Uo_ZvJWf7OWg@mail.gmail.com>
	<alpine.DEB.2.02.1512221223440.3096@kaball.uk.xensource.com>
	<CAPQw5r=7tPd8wLbGpkwuDOupN_xf+tm-SRn1hARoVZqts4VVNA@mail.gmail.com>
	<20160104130632.GF4892@mail-itl>
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <20160104130632.GF4892@mail-itl>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: =?windows-1252?Q?Marek_Marczykowski-G=F3recki?= <marmarek@invisiblethingslab.com>, Eric Shelton <eshelton@pobox.com>
Cc: "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>, security@xen.org
List-Id: xen-devel@lists.xenproject.org

On 04/01/16 13:06, Marek Marczykowski-G=F3recki wrote:
> On Tue, Dec 22, 2015 at 10:06:25AM -0500, Eric Shelton wrote:
>> The XSA mentions that "PV frontend patches will be developed and
>> released (publicly) after the embargo date."  Has anything been done
>> towards this that should also be incorporated into MiniOS?  On a
>> system utilizing a "driver domain," where a backend is running on a
>> domain that is considered unprivileged and untrusted (such as the
>> example described in http://wiki.xenproject.org/wiki/Driver_Domain),
>> it seems XSA-155-style double fetch vulnerabilities in the frontends
>> are also a potential security concern, and should be eliminated.
>> However, perhaps that does not include pcifront, since pciback would
>> always be running in dom0.
> =

> And BTW the same applies to Linux frontends, for which also I haven't seen
> any public development. In attachment my email to
> xen-security-issues-discuss list (sent during embargo), with patches
> attached there. I haven't got any response.

There are no similar security concerns with frontends since they trust
the backend.

I note that you say:

  "But in some cases (namely: if driver domains are in use), frontends
   may be more trusted/privileged than backends."

But this cannot be the case since the backend can always trivially DoS
the frontend by (for example) not unmapping grant references when
required by the protocol.

David