[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] xc_hvm_inject_trap() races

>>> On 02.11.16 at 11:22, <vlutas@xxxxxxxxxxxxxxx> wrote:
>> From: Jan Beulich [mailto:JBeulich@xxxxxxxx]
>> Sent: 2 November, 2016 12:05
>> >>> On 02.11.16 at 10:53, <vlutas@xxxxxxxxxxxxxxx> wrote:
>> > The decision whether further events are needed or not is NOT made
>> > based on the contents of the missing page. Let us assume we have the
>> > MODULE structure, that contains a "name" and an "address". The MODULE
>> > is inserted in the modules list via a write, which triggers an EPT
>> > violation, which is handled by HVI. The HVI sees that "name" is the
>> > module it was waiting for (for example, ntdll, kernel32, or whatever),
>> > and decides that it doesn't want to intercept other modules being
>> > loaded, so it removes the write hook from the list. Furthermore, it
>> > sees that "address" points to a swapped-out page, so it injects a #PF, to
>> swap it in.
>> 
>> So what's the #PF needed for then, if the introspection engine doesn't need
>> looking at the page? Once again - I think it would have helped quite a bit 
>> if a
>> _complete_ picture had been drawn from the very beginning of this thread.
> 
> Who said the introspection logic doesn't need to inspect the page? That's 
> why we inject the #PF. Because we need to further inspect the page.

Looks like I've drawn a wrong conclusion then - sorry.

> But the 
> decision to inspect the missing page or the decision that further module 
> events are relevant or not is not related in any way to the contents of the 
> missing page. The contents of the missing page need to be inspected for other 
> reasons.

And the disabling of (in your example) module load monitoring could
then be done at that point, rather than right away?

> In my opinion, the complete picture _was_ drawn from the beginning, it just 
> seems that we need to zoom in more. You also have to understand that the HVI 
> itself is closed-source and there's a point beyond which we simply can't give 
> any more info. 

I'm sure you understand that with partial / insufficient info it then
may be impossible for anyone here to give advice which is actually
helpful to you.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.