[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] tracking of Xen heap pages shared with guest



>>> Keir Fraser <keir.fraser@xxxxxxxxxxxxx> 14.03.08 14:10 >>>
>On 14/3/08 12:59, "Jan Beulich" <jbeulich@xxxxxxxxxx> wrote:
>
>> a) A guest unintentionally or maliciously frees (e.g. through
>> decrease_reservation) a page shared from the Xen heap (e.g. the
>> shared info page). From what I can see, such a page would have a
>> reference count of 1 (from share_xen_page_with_guest(), assuming
>> the guest doesn't have the page mapped), and would hence be
>> immediately freed with the corresponding put_page(). Nevertheless
>> Xen itself may continue to write to such a page.
>
>There is no extra reference count in this case. Xen's own reference is
>implicit, and this is okay because such pages are explicitly freed during
>domain final destruction, and at that point Xen knows the pages are going
>away.

Right, but the question was - what if the guest erroneously or
maliciously frees the page? If there's indeed no extra reference, then
the page (which Xen will continue to write to) may get assigned to a
different domain, including dom0, and hence the whole system could
get at risk.

>> b) A domU that had a xenoprof buffer allocated gets killed. Since the
>> xenoprof code directly calls free_xenheap_pages() on the buffer,
>> any mapping dom0 may have to it would not be considered, and hence
>> dom0 would retain a mapping to free memory. Additionally, the
>> put_page() in unshare_xenoprof_page_with_guest() could revert the
>> singe reference to the page established through
>> share_xen_page_with_guest() (i.e. if dom0 never mapped or already
>> unmapped the buffer), which again would result in the buffer getting
>> freed (and thus d->xenoprof->rawbuf becoming stale).
>
>I'm no expert on xenoprof. I've cc'ed Renato.
>
>Wouldn't dom0 mappings bump the page reference count, and this would prevent
>the domU being destroyed (remember that non-empty domain page ownership
>lists hold a domain reference)?

As I understand it, the pages get shared with dom0, so ownership also
transfers to dom0, which doesn't prevent the guest from being fully
destroyed.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.