lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5BE3A430.7030505@intel.com>
Date:   Thu, 08 Nov 2018 10:49:20 +0800
From:   Wei Wang <wei.w.wang@...el.com>
To:     "Michael S. Tsirkin" <mst@...hat.com>, linux-kernel@...r.kernel.org
Subject: Re: virtio-balloon: VIRTIO_BALLOON_F_PAGE_POISON discussion

On 11/07/2018 11:27 PM, Michael S. Tsirkin wrote:

+ LKML

> On Wed, Nov 07, 2018 at 02:29:02PM +0000, Wang, Wei W wrote:
>> Hi Michael,
>>
>>   
>>
>> Thanks again for reviewing so many versions of patches, and I learnt a lot from
>> your comments.
>>
>>   
>>
>> While I’m writing the virtio-balloon spec patches, I’m thinking probably we
>> don’t need VIRTIO_BALLOON_F_PAGE_POISON to limit
>> VIRTIO_BALLOON_F_FREE_PAGE_HINT, because now the guest frees the allocated
>> pages after the migration is done (that is, the skipped free pages will be
>> poisoned when the guest is already on the destination machine).
> The concern was this:
>
> guest poisons the page by writing a non-0 pattern there
> guest sends page to host
> VM is migrated, page is unmapped
> guest reads page, zero page is mapped

Not sure about this one: I think guest wouldn't read the page,
since they are held by balloon (balloon itself will also
not read it, the page just stays on a list waiting to be freed).
Please see the below example.

> guest sees 0 in page and detects it as use after free

  - balloon collects (i.e. alloc) a free page X (now it
    has 0xaa poison value) and reports X to host to be skipped in
    migration;
  -  Now VM is migrated to the destination, and on the destination
     side, X is not mapped initially.
  -  Nobody will access X since it has been taken by balloon
     and stays on a list waiting to be freed. So the first chance
     that will get X mapped will be the moment that balloon
     returns X to mm via free(), as free() writes the
     poison value to X.


Best,
Wei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ