lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 7 Nov 2018 21:50:42 -0500
From:   "Michael S. Tsirkin" <mst@...hat.com>
To:     Wei Wang <wei.w.wang@...el.com>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: virtio-balloon: VIRTIO_BALLOON_F_PAGE_POISON discussion

On Thu, Nov 08, 2018 at 10:49:20AM +0800, Wei Wang wrote:
> On 11/07/2018 11:27 PM, Michael S. Tsirkin wrote:
> 
> + LKML
> 
> > On Wed, Nov 07, 2018 at 02:29:02PM +0000, Wang, Wei W wrote:
> > > Hi Michael,
> > > 
> > > 
> > > Thanks again for reviewing so many versions of patches, and I learnt a lot from
> > > your comments.
> > > 
> > > 
> > > While I’m writing the virtio-balloon spec patches, I’m thinking probably we
> > > don’t need VIRTIO_BALLOON_F_PAGE_POISON to limit
> > > VIRTIO_BALLOON_F_FREE_PAGE_HINT, because now the guest frees the allocated
> > > pages after the migration is done (that is, the skipped free pages will be
> > > poisoned when the guest is already on the destination machine).
> > The concern was this:
> > 
> > guest poisons the page by writing a non-0 pattern there
> > guest sends page to host
> > VM is migrated, page is unmapped
> > guest reads page, zero page is mapped
> 
> Not sure about this one: I think guest wouldn't read the page,
> since they are held by balloon (balloon itself will also
> not read it, the page just stays on a list waiting to be freed).
> Please see the below example.
> 
> > guest sees 0 in page and detects it as use after free
> 
>  - balloon collects (i.e. alloc) a free page X (now it
>    has 0xaa poison value) and reports X to host to be skipped in
>    migration;
>  -  Now VM is migrated to the destination, and on the destination
>     side, X is not mapped initially.
>  -  Nobody will access X since it has been taken by balloon
>     and stays on a list waiting to be freed. So the first chance
>     that will get X mapped will be the moment that balloon
>     returns X to mm via free(), as free() writes the
>     poison value to X.
> 
> 
> Best,
> Wei


Oh I see, that was with the previous design where we bypassed alloc.
I think you are right, but better stress-test it.

-- 
MST

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ