[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 0/8] xen: harden frontends against malicious backends

To: xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-block@xxxxxxxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, linuxppc-dev@xxxxxxxxxxxxxxxx
From: Juergen Gross <jgross@xxxxxxxx>
Date: Thu, 13 May 2021 12:02:54 +0200
Cc: Juergen Gross <jgross@xxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Jens Axboe <axboe@xxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Jakub Kicinski <kuba@xxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Jiri Slaby <jirislaby@xxxxxxxxxx>
Delivery-date: Thu, 13 May 2021 10:03:13 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Xen backends of para-virtualized devices can live in dom0 kernel, dom0
user land, or in a driver domain. This means that a backend might
reside in a less trusted environment than the Xen core components, so
a backend should not be able to do harm to a Xen guest (it can still
mess up I/O data, but it shouldn't be able to e.g. crash a guest by
other means or cause a privilege escalation in the guest).

Unfortunately many frontends in the Linux kernel are fully trusting
their respective backends. This series is starting to fix the most
important frontends: console, disk and network.

It was discussed to handle this as a security problem, but the topic
was discussed in public before, so it isn't a real secret.

Juergen Gross (8):
  xen: sync include/xen/interface/io/ring.h with Xen's newest version
  xen/blkfront: read response from backend only once
  xen/blkfront: don't take local copy of a request from the ring page
  xen/blkfront: don't trust the backend response data blindly
  xen/netfront: read response from backend only once
  xen/netfront: don't read data from request on the ring page
  xen/netfront: don't trust the backend response data blindly
  xen/hvc: replace BUG_ON() with negative return value

 drivers/block/xen-blkfront.c    | 118 +++++++++-----
 drivers/net/xen-netfront.c      | 184 ++++++++++++++-------
 drivers/tty/hvc/hvc_xen.c       |  15 +-
 include/xen/interface/io/ring.h | 278 ++++++++++++++++++--------------
 4 files changed, 369 insertions(+), 226 deletions(-)

-- 
2.26.2

Follow-Ups:
- Re: [PATCH 0/8] xen: harden frontends against malicious backends
  - From: Marek Marczykowski-Górecki
- [PATCH 8/8] xen/hvc: replace BUG_ON() with negative return value
  - From: Juergen Gross
- [PATCH 5/8] xen/netfront: read response from backend only once
  - From: Juergen Gross
- [PATCH 4/8] xen/blkfront: don't trust the backend response data blindly
  - From: Juergen Gross
- [PATCH 7/8] xen/netfront: don't trust the backend response data blindly
  - From: Juergen Gross
- [PATCH 3/8] xen/blkfront: don't take local copy of a request from the ring page
  - From: Juergen Gross
- [PATCH 1/8] xen: sync include/xen/interface/io/ring.h with Xen's newest version
  - From: Juergen Gross
- [PATCH 2/8] xen/blkfront: read response from backend only once
  - From: Juergen Gross
- [PATCH 6/8] xen/netfront: don't read data from request on the ring page
  - From: Juergen Gross

Prev by Date: Re: regression in Xen 4.15, unable to boot xenlinux dom0
Next by Date: [PATCH 6/8] xen/netfront: don't read data from request on the ring page
Previous by thread: regression in Xen 4.15, unable to boot xenlinux dom0
Next by thread: [PATCH 6/8] xen/netfront: don't read data from request on the ring page
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.