[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)

To: Jan Beulich <JBeulich@xxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
From: David Vrabel <david.vrabel@xxxxxxxxxx>
Date: Mon, 15 Aug 2016 15:50:30 +0100
Cc: StefanoStabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, GeorgeDunlap <george.dunlap@xxxxxxxxxx>, Anthony Perard <anthony.perard@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, dgdegra@xxxxxxxxxxxxx
Delivery-date: Mon, 15 Aug 2016 14:50:43 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 09/08/16 11:29, Jan Beulich wrote:
>>>> On 08.08.16 at 15:46, <ian.jackson@xxxxxxxxxxxxx> wrote:
>> Jan Beulich writes ("Re: Device model operation hypercall (DMOP, re qemu 
>> depriv)"):
>>> On 05.08.16 at 18:28, <ian.jackson@xxxxxxxxxxxxx> wrote:
>>>> That is, a bug of class 2 would allow the unprivileged qemu process in
>>>> dom0 to cause damage to other parts of dom0.
>> ...
>>> Ah, okay, I think I finally understand. [...]
>>>
>>> I'm having, however, a hard time imagining a class 2 bug for any
>>> of the hvmop-s that are being converted by the hvmctl series:
>>> These act on the target domain, so would not touch the calling
>>> ones state other than for copying argument structures to/from
>>> guest memory (and I don't view mixing up domain pointers as
>>> a likely source of problems).
>>
>> Right.  AIUI all the hypercall arguments are passed using
>> calling-guest-virtual addresses, which the dom0 privcmd arrangements
>> are capable of ensuring are sane.
> 
> Actually, having thought about this some more, and taking this
> together with the expectations to the privcmd driver previously
> outlined, I think this part is problematic: If all the driver is to know
> is the position (within the interface structure) of the target domain
> ID, then any guest handles embedded in the interface structure
> (XEN_HVMCTL_track_dirty_vram only for now) couldn't get
> validated, and hence user mode code would have a way to access
> or modify kernel memory.

It seems simpler to me to have in the privcmd driver:

    if (op == HVMCTL_track_dirty_vram)
        ret = access_ok(...);

It looks simpler to me to fix the ABI and add the checking in the
privcmd driver than add one of the proposed mechanisms to allow the
hypervisor to do the checking.

To avoid the issues with having to update the kernel in lock-step with
the hypervisor (if new checks are needed in privcmd), we can (in the
common case) do version the checking in the driver.

i.e., if the privcmd drivers knows about hypervisor ABI V but qemu needs
V+1 then it can choose to disable the depriv and thus continue to work
(with reduced defense in depth).

David

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich

References:
- [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Wei Liu
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: George Dunlap
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Ian Jackson
- Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH v3 9/9] livepach: Add .livepatch.hooks functions and test-case
Next by Date: Re: [Xen-devel] [PATCH v1] Livepatch ARM 64 implementation
Previous by thread: Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
Next by thread: Re: [Xen-devel] Device model operation hypercall (DMOP, re qemu depriv)
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.