Mapping active GDT

Mapping active GDT

[Boris Ostrovsky]

I am looking into GDT remap series [0] which crashes PV guests and it
seems that the problem lies in the fact that we cannot establish new
mapping to an already existing GDT.

The mapping is created by

+static inline void setup_fixmap_gdt(int cpu)
+{
+       __set_fixmap(get_cpu_gdt_ro_index(cpu),
+                    __pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
+}

with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in

(XEN) mm.c:2570:d94v0 Bad type (saw 5400000000000001 != exp
7000000000000000) for mfn 1538fb (pfn 3e809)
(XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
(XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
80000001538fb063 for l1e_owner=94, pg_owner=94

(after a small change to xen_set_fixmap(), which I think was missing)

Before I try to come up with a fix I wanted to check here to see if this
(not being able to map active GDT) is indeed the case.

-boris


[0]
https://lists.xenproject.org/archives/html/xen-devel/2017-03/msg00869.html


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: Mapping active GDT

[Boris Ostrovsky]

On 03/10/2017 09:39 PM, Boris Ostrovsky wrote:
> I am looking into GDT remap series [0] which crashes PV guests and it
> seems that the problem lies in the fact that we cannot establish new
> mapping to an already existing GDT.
>
> The mapping is created by
>
> +static inline void setup_fixmap_gdt(int cpu)
> +{
> +       __set_fixmap(get_cpu_gdt_ro_index(cpu),
> +                    __pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
> +}
>
> with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
>
> (XEN) mm.c:2570:d94v0 Bad type (saw 5400000000000001 != exp
> 7000000000000000) for mfn 1538fb (pfn 3e809)
> (XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
> (XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
> 80000001538fb063 for l1e_owner=94, pg_owner=94
>
> (after a small change to xen_set_fixmap(), which I think was missing)
>
> Before I try to come up with a fix I wanted to check here to see if this
> (not being able to map active GDT) is indeed the case.

Uhm.. Nevermind. The change in xen_set_fixmap() is probably sufficient.

I was working with wrong branch ;-( Sorry for the noise.

-boris

>
> -boris
>
>
> [0]
> https://lists.xenproject.org/archives/html/xen-devel/2017-03/msg00869.html
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> https://lists.xen.org/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: Mapping active GDT

[Andrew Cooper]

On 11/03/2017 03:58, Boris Ostrovsky wrote:
> On 03/10/2017 09:39 PM, Boris Ostrovsky wrote:
>> I am looking into GDT remap series [0] which crashes PV guests and it
>> seems that the problem lies in the fact that we cannot establish new
>> mapping to an already existing GDT.
>>
>> The mapping is created by
>>
>> +static inline void setup_fixmap_gdt(int cpu)
>> +{
>> +       __set_fixmap(get_cpu_gdt_ro_index(cpu),
>> +                    __pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
>> +}
>>
>> with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
>>
>> (XEN) mm.c:2570:d94v0 Bad type (saw 5400000000000001 != exp
>> 7000000000000000) for mfn 1538fb (pfn 3e809)
>> (XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
>> (XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
>> 80000001538fb063 for l1e_owner=94, pg_owner=94

The problem here is that you are trying to create a writeable mapping to
the GDT frame.

Allowing the guest writeable access would be a security hole, as it is
trivial to escalate privilege under those circumstances.

~Andrew

>>
>> (after a small change to xen_set_fixmap(), which I think was missing)
>>
>> Before I try to come up with a fix I wanted to check here to see if this
>> (not being able to map active GDT) is indeed the case.
> Uhm.. Nevermind. The change in xen_set_fixmap() is probably sufficient.
>
> I was working with wrong branch ;-( Sorry for the noise.
>
> -boris
>
>> -boris
>>
>>
>> [0]
>> https://lists.xenproject.org/archives/html/xen-devel/2017-03/msg00869.html
>>
>>
>> _______________________________________________
>> Xen-devel mailing list
>> Xen-devel@lists.xen.org
>> https://lists.xen.org/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: Mapping active GDT

[Boris Ostrovsky]

On 03/11/2017 08:06 AM, Andrew Cooper wrote:
> On 11/03/2017 03:58, Boris Ostrovsky wrote:
>> On 03/10/2017 09:39 PM, Boris Ostrovsky wrote:
>>> I am looking into GDT remap series [0] which crashes PV guests and it
>>> seems that the problem lies in the fact that we cannot establish new
>>> mapping to an already existing GDT.
>>>
>>> The mapping is created by
>>>
>>> +static inline void setup_fixmap_gdt(int cpu)
>>> +{
>>> +       __set_fixmap(get_cpu_gdt_ro_index(cpu),
>>> +                    __pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
>>> +}
>>>
>>> with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
>>>
>>> (XEN) mm.c:2570:d94v0 Bad type (saw 5400000000000001 != exp
>>> 7000000000000000) for mfn 1538fb (pfn 3e809)
>>> (XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
>>> (XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
>>> 80000001538fb063 for l1e_owner=94, pg_owner=94
> The problem here is that you are trying to create a writeable mapping to
> the GDT frame.
>
> Allowing the guest writeable access would be a security hole, as it is
> trivial to escalate privilege under those circumstances.

Right, and I saw the same failure symptoms (hypervisor errors) even when
I replaced PAGE_KERNEL with PAGE_KERNEL_RO.

And then I realized that I was on a branch with other unrelated changes,
so I switched the branch and then things started to work. Thus my mea
culpa below.

-boris

>
> ~Andrew
>
>>> (after a small change to xen_set_fixmap(), which I think was missing)
>>>
>>> Before I try to come up with a fix I wanted to check here to see if this
>>> (not being able to map active GDT) is indeed the case.
>> Uhm.. Nevermind. The change in xen_set_fixmap() is probably sufficient.
>>
>> I was working with wrong branch ;-( Sorry for the noise.
>>
>> -boris
>>
>>> -boris
>>>
>>>
>>> [0]
>>> https://lists.xenproject.org/archives/html/xen-devel/2017-03/msg00869.html
>>>
>>>
>>> _______________________________________________
>>> Xen-devel mailing list
>>> Xen-devel@lists.xen.org
>>> https://lists.xen.org/xen-devel


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: Mapping active GDT

[Thomas Garnier]

On Mon, Mar 13, 2017 at 6:09 AM, Boris Ostrovsky
<boris.ostrovsky@oracle.com> wrote:
> On 03/11/2017 08:06 AM, Andrew Cooper wrote:
>> On 11/03/2017 03:58, Boris Ostrovsky wrote:
>>> On 03/10/2017 09:39 PM, Boris Ostrovsky wrote:
>>>> I am looking into GDT remap series [0] which crashes PV guests and it
>>>> seems that the problem lies in the fact that we cannot establish new
>>>> mapping to an already existing GDT.
>>>>
>>>> The mapping is created by
>>>>
>>>> +static inline void setup_fixmap_gdt(int cpu)
>>>> +{
>>>> +       __set_fixmap(get_cpu_gdt_ro_index(cpu),
>>>> +                    __pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
>>>> +}
>>>>
>>>> with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
>>>>
>>>> (XEN) mm.c:2570:d94v0 Bad type (saw 5400000000000001 != exp
>>>> 7000000000000000) for mfn 1538fb (pfn 3e809)
>>>> (XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
>>>> (XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
>>>> 80000001538fb063 for l1e_owner=94, pg_owner=94
>> The problem here is that you are trying to create a writeable mapping to
>> the GDT frame.
>>
>> Allowing the guest writeable access would be a security hole, as it is
>> trivial to escalate privilege under those circumstances.
>
> Right, and I saw the same failure symptoms (hypervisor errors) even when
> I replaced PAGE_KERNEL with PAGE_KERNEL_RO.
>
> And then I realized that I was on a branch with other unrelated changes,
> so I switched the branch and then things started to work. Thus my mea
> culpa below.
>

So we are good? :) (Meaning I still need to push the fix for 32 bit
but that's it).

> -boris
>
>>
>> ~Andrew
>>
>>>> (after a small change to xen_set_fixmap(), which I think was missing)
>>>>
>>>> Before I try to come up with a fix I wanted to check here to see if this
>>>> (not being able to map active GDT) is indeed the case.
>>> Uhm.. Nevermind. The change in xen_set_fixmap() is probably sufficient.
>>>
>>> I was working with wrong branch ;-( Sorry for the noise.
>>>
>>> -boris
>>>
>>>> -boris
>>>>
>>>>
>>>> [0]
>>>> https://lists.xenproject.org/archives/html/xen-devel/2017-03/msg00869.html
>>>>
>>>>
>>>> _______________________________________________
>>>> Xen-devel mailing list
>>>> Xen-devel@lists.xen.org
>>>> https://lists.xen.org/xen-devel
>



-- 
Thomas

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: Mapping active GDT

[Boris Ostrovsky]

On 03/13/2017 01:30 PM, Thomas Garnier wrote:
> On Mon, Mar 13, 2017 at 6:09 AM, Boris Ostrovsky
> <boris.ostrovsky@oracle.com> wrote:
>> On 03/11/2017 08:06 AM, Andrew Cooper wrote:
>>> On 11/03/2017 03:58, Boris Ostrovsky wrote:
>>>> On 03/10/2017 09:39 PM, Boris Ostrovsky wrote:
>>>>> I am looking into GDT remap series [0] which crashes PV guests and it
>>>>> seems that the problem lies in the fact that we cannot establish new
>>>>> mapping to an already existing GDT.
>>>>>
>>>>> The mapping is created by
>>>>>
>>>>> +static inline void setup_fixmap_gdt(int cpu)
>>>>> +{
>>>>> +       __set_fixmap(get_cpu_gdt_ro_index(cpu),
>>>>> +                    __pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
>>>>> +}
>>>>>
>>>>> with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
>>>>>
>>>>> (XEN) mm.c:2570:d94v0 Bad type (saw 5400000000000001 != exp
>>>>> 7000000000000000) for mfn 1538fb (pfn 3e809)
>>>>> (XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
>>>>> (XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
>>>>> 80000001538fb063 for l1e_owner=94, pg_owner=94
>>> The problem here is that you are trying to create a writeable mapping to
>>> the GDT frame.
>>>
>>> Allowing the guest writeable access would be a security hole, as it is
>>> trivial to escalate privilege under those circumstances.
>> Right, and I saw the same failure symptoms (hypervisor errors) even when
>> I replaced PAGE_KERNEL with PAGE_KERNEL_RO.
>>
>> And then I realized that I was on a branch with other unrelated changes,
>> so I switched the branch and then things started to work. Thus my mea
>> culpa below.
>>
> So we are good? :) (Meaning I still need to push the fix for 32 bit
> but that's it).
>


No, it will need a few small changes. I am actually finishing the test
run (in the next hour or so) and will reply on the Linux thread.

-boris

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: Mapping active GDT

[Thomas Garnier]

On Mon, Mar 13, 2017 at 10:32 AM, Boris Ostrovsky
<boris.ostrovsky@oracle.com> wrote:
> No, it will need a few small changes. I am actually finishing the test
> run (in the next hour or so) and will reply on the Linux thread.
>

Great, thanks again!



-- 
Thomas

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel