From mboxrd@z Thu Jan 1 00:00:00 1970 From: Corneliu ZUZU Subject: Re: [PATCH] x86/hvm: Fix use-after-free introduced by c/s 428607a Date: Tue, 2 Feb 2016 13:39:09 +0200 Message-ID: <56B0955D.2010002@bitdefender.com> References: <1454349419-18430-1-git-send-email-andrew.cooper3@citrix.com> <56B0964502000078000CD620@prv-mh.provo.novell.com> <56B08980.8060607@citrix.com> <56B0988F02000078000CD647@prv-mh.provo.novell.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <56B0988F02000078000CD647@prv-mh.provo.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich , Andrew Cooper Cc: Xen-devel List-Id: xen-devel@lists.xenproject.org On 2/2/2016 12:52 PM, Jan Beulich wrote: >> NULLing the pointers would cause things like rtc_deinit() to always blow >> up when it followed the NULL pointer. >> >> IMO, we should unconditionally always NULL pointers when freeing a >> pointer which isn't in local scope. It would make issues such as these >> completely obvious. > As would poisoning the pointers, yet poisoning has the advantage > of not allowing PV guests to control what the hypervisor might > access when erroneously de-referencing such a pointer. > > Jan Jan, that sounds interesting. I hope I'm not intruding, but when you have the time, could you please expand on this? Besides distinguishing a nuked pointer from zeroed-out memory, I did not know of any other advantage of 0xDEADBEEF pointer poisoning (generally or specifically). How could possibly setting a pointer to NULL allow a PV guest to control what the hypervisor might access, if the hypervisor *can't access* a NULL pointer? And can a PV guest write data @ *hypervisor's* 0 page (virtual and/or physical)? Corneliu.