After mapping a readonly granted page in a PV guest, the guest can try to change his l1 page table entry, faulting into Xen. Here xen emulates the update operation, but first it must check whether the modification is allowed or not (i.e. the grant is readonly or not). I''m looking through the code, but I can''t find where this checking is done. Can anyone help?! _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On Wed, 2011-10-26 at 17:46 +0100, Mohammad Hedayati wrote:> After mapping a readonly granted page in a PV guest, the guest can try > to change his l1 page table entry, faulting into Xen. Here xen > emulates the update operation, but first it must check whether the > modification is allowed or not (i.e. the grant is readonly or not). > I''m looking through the code, but I can''t find where this checking is > done. Can anyone help?!I don''t think a guest can modify any grant mapping that way, read only or otherwise, they have to use the GNTTABOP hypercalls. The thing which prevents it is that the page is really owned by another domain so the get_page_from_l1e in ptwr_emulated_update will fail. (disclaimer, I''m not really sure about this...) Ian. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Though the page is not owned by the issuing domain, the l1 page is, so the l1e_get_page (if you meant so instead of get_page_from_l1e) succeeds. There should be a check somewhere else, probably in x86_emulate or subordinate routines. On Wed, Oct 26, 2011 at 8:25 PM, Ian Campbell <Ian.Campbell@citrix.com> wrote:> On Wed, 2011-10-26 at 17:46 +0100, Mohammad Hedayati wrote: >> After mapping a readonly granted page in a PV guest, the guest can try >> to change his l1 page table entry, faulting into Xen. Here xen >> emulates the update operation, but first it must check whether the >> modification is allowed or not (i.e. the grant is readonly or not). >> I''m looking through the code, but I can''t find where this checking is >> done. Can anyone help?! > > I don''t think a guest can modify any grant mapping that way, read only > or otherwise, they have to use the GNTTABOP hypercalls. > > The thing which prevents it is that the page is really owned by another > domain so the get_page_from_l1e in ptwr_emulated_update will fail. > > (disclaimer, I''m not really sure about this...) > > Ian. > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Please don''t top post. On Wed, 2011-10-26 at 18:36 +0100, Mohammad Hedayati wrote:> Though the page is not owned by the issuing domain, the l1 page is, so > the l1e_get_page (if you meant so instead of get_page_from_l1e) > succeeds. There should be a check somewhere else, probably in > x86_emulate or subordinate routines.I really did mean get_page_from_l1e which takes a reference on the page referenced by an l1e, not the page containing that l1e. i.e. it takes a reference on a data page not an l1 page-table page. l1e_get_page just extracts the pfn from a PTE and converts it to a struct page so it isn''t interesting from this point of view. Ian.> > On Wed, Oct 26, 2011 at 8:25 PM, Ian Campbell <Ian.Campbell@citrix.com> wrote: > > On Wed, 2011-10-26 at 17:46 +0100, Mohammad Hedayati wrote: > >> After mapping a readonly granted page in a PV guest, the guest can try > >> to change his l1 page table entry, faulting into Xen. Here xen > >> emulates the update operation, but first it must check whether the > >> modification is allowed or not (i.e. the grant is readonly or not). > >> I''m looking through the code, but I can''t find where this checking is > >> done. Can anyone help?! > > > > I don''t think a guest can modify any grant mapping that way, read only > > or otherwise, they have to use the GNTTABOP hypercalls. > > > > The thing which prevents it is that the page is really owned by another > > domain so the get_page_from_l1e in ptwr_emulated_update will fail. > > > > (disclaimer, I''m not really sure about this...) > > > > Ian. > > > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
At 20:16 +0330 on 26 Oct (1319660209), Mohammad Hedayati wrote:> After mapping a readonly granted page in a PV guest, the guest can try to > change his l1 page table entry, faulting into Xen. Here xen emulates the > update operation, but first it must check whether the modification is > allowed or not (i.e. the grant is readonly or not). > I''m looking through the code, but I can''t find where this checking is done.Emulated writes go through ptwr_emulated_update() which calls get_page_from_l1e(), which won''t let the guest write a PTE that maps another VM''s memory. Tim. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel