Xen devel - Apr 2006 - Changing semantics of ioperm() on Xen x86-64?

As part of the Xen x86-64 Linux port, we''ve changed the ioperm()
syscall
to always modify the IOPL instead of actually modifying the IO bitmap in 
the TSS like we do on x86-32.  Is there a particular reason for doing this?

I''m completely guessing here that this may allow us to avoid changing 
the TR when changing from user/kernel mode but that doesn''t seem like 
that huge of a gain.

I don''t expect that there are many apps that would rely on using ioperm
to restrict access to only certain ranges of ports so I don''t think
this
is a security problem but it still is a little discomforting.

Comments?

Regards,

Anthony Liguori

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> As part of the Xen x86-64 Linux port, we''ve changed the 
> ioperm() syscall to always modify the IOPL instead of 
> actually modifying the IO bitmap in the TSS like we do on 
> x86-32.  Is there a particular reason for doing this?
I don''t believe so. io bitmap support was added to the hypervisor and
the corresponding ioperm support got added on i386, but was never
carried across to x86_64.

We would definitely benefit from someone doing a code review of x86_64
with a view to unifying as many of the xen patches with i386 as
possible. There''s certainly some needless/unhelpful divergence.

Ian 
 
> I''m completely guessing here that this may allow us to avoid 
> changing the TR when changing from user/kernel mode but that 
> doesn''t seem like that huge of a gain.
> 
> I don''t expect that there are many apps that would rely on 
> using ioperm to restrict access to only certain ranges of 
> ports so I don''t think this is a security problem but it 
> still is a little discomforting.
> 
> Comments?
> 
> Regards,
> 
> Anthony Liguori
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
> 
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Ian Pratt wrote:
>>As part of the Xen x86-64 Linux port, we''ve changed the 
>>ioperm() syscall to always modify the IOPL instead of 
>>actually modifying the IO bitmap in the TSS like we do on 
>>x86-32.  Is there a particular reason for doing this?
> 
> 
> I don''t believe so. io bitmap support was added to the hypervisor
and
> the corresponding ioperm support got added on i386, but was never
> carried across to x86_64.
> 
> We would definitely benefit from someone doing a code review of x86_64
> with a view to unifying as many of the xen patches with i386 as
> possible. There''s certainly some needless/unhelpful divergence.
> 
> Ian 
Above issue was caught by a LTP test case failure, btw...

thanks,
Nivedita

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 18 Apr 2006, at 22:50, Anthony Liguori wrote:
> As part of the Xen x86-64 Linux port, we''ve changed the ioperm() 
> syscall to always modify the IOPL instead of actually modifying the IO 
> bitmap in the TSS like we do on x86-32.  Is there a particular reason 
> for doing this?
>
> I''m completely guessing here that this may allow us to avoid
changing
> the TR when changing from user/kernel mode but that doesn''t seem
like
> that huge of a gain.
>
> I don''t expect that there are many apps that would rely on using 
> ioperm to restrict access to only certain ranges of ports so I
don''t
> think this is a security problem but it still is a little 
> discomforting.
As Ian said, x86/64 port took an old snap of the i386 port and has gone 
stale in quite a few ways. It needs some maintenance TLC. i386 did the 
same thing with ioperm() until io bitmap support was added to Xen.

  -- Keir


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel