[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-ia64-devel] [PATCH][TAKE3] Fix vulnerability of copy_to_user in PAL emulation

To: Kouya Shimura <kouya@xxxxxxxxxxxxxx>
From: tgingold@xxxxxxx
Date: Fri, 14 Dec 2007 14:16:06 +0100
Cc: xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 14 Dec 2007 05:16:32 -0800
List-id: Discussion of the ia64 port of Xen <xen-ia64-devel.lists.xensource.com>

Quoting Kouya Shimura <kouya@xxxxxxxxxxxxxx>:

> Hi,
>
> The reputation of my previous patch was not so good,
> then I rewrote it. An attached patch is temporary fix
> for xen-3.2.
>
> I think this patch is enough for normal usage.
> Please see SDM Vol2 11.10.2.1.3 "Making PAL Procedure
> Calls in Physical or Virtual Mode".
> If the caller has a responsibility of providing DTR or DTC
> mapping, xencomm for PAL might be unnecessary.

Right, that's a very interesting way.  It also implies the buffer can't
spread across two pages.

> I confirmed there is no problem in linux, windows 2003,
> windows 2008 with this patch.

Good!

> As for PV domain, the same logic can't be used due to
> only one vTLB. This patch only checks that the buffer
> never point VMM address, that would avoid the vulnerability.

Ok.

Tristan.

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel

References:
- [Xen-ia64-devel] [PATCH][TAKE3] Fix vulnerability of copy_to_user in PAL emulation
  - From: Kouya Shimura

Prev by Date: [Xen-ia64-devel] [IA64] Weekly benchmark results [ww50]
Next by Date: Re: [Xen-ia64-devel] [PATCH] Fix vmx_asm_thash
Previous by thread: [Xen-ia64-devel] [PATCH][TAKE3] Fix vulnerability of copy_to_user in PAL emulation
Next by thread: Re: [Xen-ia64-devel] [PATCH][TAKE3] Fix vulnerability of copy_to_user in PAL emulation
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.