lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b733a132-e3a8-d096-a015-f1762165cc21@citrix.com>
Date:   Tue, 12 Sep 2017 19:54:22 +0100
From:   Andrew Cooper <andrew.cooper3@...rix.com>
To:     Juergen Gross <jgross@...e.com>, <linux-kernel@...r.kernel.org>,
        <xen-devel@...ts.xenproject.org>
CC:     <boris.ostrovsky@...cle.com>
Subject: Re: [Xen-devel] [PATCH 4/4] xen: select grant interface version

On 08/09/17 15:48, Juergen Gross wrote:
>  static void gnttab_request_version(void)
>  {
> -	int rc;
> +	long rc;
>  	struct gnttab_set_version gsv;
>  
> -	gsv.version = 1;
> +	rc = HYPERVISOR_memory_op(XENMEM_maximum_ram_page, NULL);

This hypercall is information leak and layering violation.  Please can
we avoid adding more dependence on its presence?  (I'm got a
proto-series which strips various corners off the hypervisor for attack
surface reduction purposes, and this hypercall is one victim which is
restricted to privileged domains only.)

For translated guests, it is definitely not the right number to check. 
What matters is the maximum frame inside the translated guest, not on
the host.

For PV guests, I'm not sure what to suggest, but the result of
XENMEM_maximum_ram_page isn't applicable.  Xen's max_page can increase
at runtime through memory hotplug, after which ballooning operations can
leave Linux with a frame it wishes to grant which exceeds the limit
calculated here.

The more I look into this, the more of a mess it turns out to be.

~Andrew

> +	if (rc < 0 || !(rc >> 32))
> +		gsv.version = 1;
> +	else
> +		gsv.version = 2;
> +	if (xen_gnttab_version >= 1 && xen_gnttab_version <= 2)
> +		gsv.version = xen_gnttab_version;
>  
>  	rc = HYPERVISOR_grant_table_op(GNTTABOP_set_version, &gsv, 1);
>  	if (rc == 0 && gsv.version == 2)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ