thr3ads.net - Xen devel - [Xen-devel] [XSM] Potential security vulnerability and inconsistency in evtchn

If this information is useful, please help other people find it:
Share via:

Tan, Lin

2008-Feb-17 18:04 UTC

[Xen-devel] [XSM] Potential security vulnerability and inconsistency in evtchn_close

Hi All,

I found that evtchn_close() is not checked for authorization by xsm hooks in
some cases.

There is no xsm permission check before evtchn_close() called in
do_event_channel_op() as shown below. I imagine, maybe there is no need to check
if one can close itself, but it is probably still good to add a xsm hook inside
evtchn_close() in case we decide to expand evtchn_close() to close other domains
later.

In addition, almost all other functions such as evtchn_send() and
evtchn_status() put their xsm hooks inside themselves, it would be more
consistent to add a xsm_evtchn_close() hook in evtchn_close(). What do you
think? Thanks.

818   long do_event_channel_op(int cmd, XEN_GUEST_HANDLE(void) arg) {
...
874     case EVTCHNOP_close: {
875         struct evtchn_close close;
876         if ( copy_from_guest(&close, arg, 1) != 0 )
877             return -EFAULT;
878         rc = evtchn_close(&close);
879         break;
...
}

Thanks,
Lin

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Xen devel - Feb 2008 - [XSM] Potential security vulnerability and inconsistency in evtchn_close

[Xen-devel] [XSM] Potential security vulnerability and inconsistency in evtchn_close