[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3 2/5] arch, arm: add consistency checks to REMOVE p2m changes

On Fri, 2014-03-21 at 11:51 +0000, Julien Grall wrote:
> Hi Ian,
> On 03/21/2014 10:44 AM, Ian Campbell wrote:
> > On Sat, 2014-03-15 at 21:11 +0100, Arianna Avanzini wrote:
> >> Currently, the REMOVE case of the switch in apply_p2m_changes()
> >> does not perform any consistency check on the mapping to be removed.
> >> More in detail, the code does not check that the type of the entry
> >> is correct in case of I/O memory mapping removal; also, the code
> >> does not check if the guest address to be unmapped is actually mapped
> >> to the machine address given as a parameter.
> >> This commit attempts to add the above-described consistency checks
> >> to the REMOVE path of apply_p2m_changes(). This is instrumental to
> >> the following commit which implements the possibility to trigger
> >> the removal of p2m ranges via the memory_mapping DOMCTL for ARM.
> > 
> > I'm not sure I follow why this is needed, is there some reason
> > apply_p2m_changes(REMOVE, ...) should not just remove whatever it is
> > asked to? What is the downside if the memory_mapping domctl removes
> > something which is not a memory mapping?
> > 
> > If it's just "a bug" then I think the toolstack should "Not Do That
> > Then". If the bug might have security implications then perhaps we need
> > to worry about it, but do you have such a case in mind?
> We have to check somewhere that the removed gfn corresponding to the mfn.

Why? The toolstack can punch whatever holes it wants in the guest
address space, can't it?

> Otherwise the toolstack may be able to remove any page as long as the
> MFN is in the iomem permitted range.

Can't it already do this through other paths?

Maybe there is a security implication there, but I would hope that the
two permissions were pretty closely linked.

> I think this is the best approach to check it.
> Regards,

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.