[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] tracking of Xen heap pages shared with guest
>>> Keir Fraser <keir.fraser@xxxxxxxxxxxxx> 14.03.08 14:10 >>> >On 14/3/08 12:59, "Jan Beulich" <jbeulich@xxxxxxxxxx> wrote: > >> a) A guest unintentionally or maliciously frees (e.g. through >> decrease_reservation) a page shared from the Xen heap (e.g. the >> shared info page). From what I can see, such a page would have a >> reference count of 1 (from share_xen_page_with_guest(), assuming >> the guest doesn't have the page mapped), and would hence be >> immediately freed with the corresponding put_page(). Nevertheless >> Xen itself may continue to write to such a page. > >There is no extra reference count in this case. Xen's own reference is >implicit, and this is okay because such pages are explicitly freed during >domain final destruction, and at that point Xen knows the pages are going >away. Right, but the question was - what if the guest erroneously or maliciously frees the page? If there's indeed no extra reference, then the page (which Xen will continue to write to) may get assigned to a different domain, including dom0, and hence the whole system could get at risk. >> b) A domU that had a xenoprof buffer allocated gets killed. Since the >> xenoprof code directly calls free_xenheap_pages() on the buffer, >> any mapping dom0 may have to it would not be considered, and hence >> dom0 would retain a mapping to free memory. Additionally, the >> put_page() in unshare_xenoprof_page_with_guest() could revert the >> singe reference to the page established through >> share_xen_page_with_guest() (i.e. if dom0 never mapped or already >> unmapped the buffer), which again would result in the buffer getting >> freed (and thus d->xenoprof->rawbuf becoming stale). > >I'm no expert on xenoprof. I've cc'ed Renato. > >Wouldn't dom0 mappings bump the page reference count, and this would prevent >the domU being destroyed (remember that non-empty domain page ownership >lists hold a domain reference)? As I understand it, the pages get shared with dom0, so ownership also transfers to dom0, which doesn't prevent the guest from being fully destroyed. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |