[Xen-devel] Mapping active GDT
I am looking into GDT remap series [0] which crashes PV guests and it
seems that the problem lies in the fact that we cannot establish new
mapping to an already existing GDT.
The mapping is created by
+static inline void setup_fixmap_gdt(int cpu)
+{
+ __set_fixmap(get_cpu_gdt_ro_index(cpu),
+__pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
+}
with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
(XEN) mm.c:2570:d94v0 Bad type (saw 5401 != exp
7000) for mfn 1538fb (pfn 3e809)
(XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
(XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
8001538fb063 for l1e_owner=94, pg_owner=94
(after a small change to xen_set_fixmap(), which I think was missing)
Before I try to come up with a fix I wanted to check here to see if this
(not being able to map active GDT) is indeed the case.
-boris
[0]
https://lists.xenproject.org/archives/html/xen-devel/2017-03/msg00869.html
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
Re: [Xen-devel] Mapping active GDT
On 03/10/2017 09:39 PM, Boris Ostrovsky wrote:
> I am looking into GDT remap series [0] which crashes PV guests and it
> seems that the problem lies in the fact that we cannot establish new
> mapping to an already existing GDT.
>
> The mapping is created by
>
> +static inline void setup_fixmap_gdt(int cpu)
> +{
> + __set_fixmap(get_cpu_gdt_ro_index(cpu),
> +__pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
> +}
>
> with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
>
> (XEN) mm.c:2570:d94v0 Bad type (saw 5401 != exp
> 7000) for mfn 1538fb (pfn 3e809)
> (XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
> (XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
> 8001538fb063 for l1e_owner=94, pg_owner=94
>
> (after a small change to xen_set_fixmap(), which I think was missing)
>
> Before I try to come up with a fix I wanted to check here to see if this
> (not being able to map active GDT) is indeed the case.
Uhm.. Nevermind. The change in xen_set_fixmap() is probably sufficient.
I was working with wrong branch ;-( Sorry for the noise.
-boris
>
> -boris
>
>
> [0]
> https://lists.xenproject.org/archives/html/xen-devel/2017-03/msg00869.html
>
>
> ___
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> https://lists.xen.org/xen-devel
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
Re: [Xen-devel] Mapping active GDT
On 11/03/2017 03:58, Boris Ostrovsky wrote:
> On 03/10/2017 09:39 PM, Boris Ostrovsky wrote:
>> I am looking into GDT remap series [0] which crashes PV guests and it
>> seems that the problem lies in the fact that we cannot establish new
>> mapping to an already existing GDT.
>>
>> The mapping is created by
>>
>> +static inline void setup_fixmap_gdt(int cpu)
>> +{
>> + __set_fixmap(get_cpu_gdt_ro_index(cpu),
>> +__pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
>> +}
>>
>> with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
>>
>> (XEN) mm.c:2570:d94v0 Bad type (saw 5401 != exp
>> 7000) for mfn 1538fb (pfn 3e809)
>> (XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
>> (XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
>> 8001538fb063 for l1e_owner=94, pg_owner=94
The problem here is that you are trying to create a writeable mapping to
the GDT frame.
Allowing the guest writeable access would be a security hole, as it is
trivial to escalate privilege under those circumstances.
~Andrew
>>
>> (after a small change to xen_set_fixmap(), which I think was missing)
>>
>> Before I try to come up with a fix I wanted to check here to see if this
>> (not being able to map active GDT) is indeed the case.
> Uhm.. Nevermind. The change in xen_set_fixmap() is probably sufficient.
>
> I was working with wrong branch ;-( Sorry for the noise.
>
> -boris
>
>> -boris
>>
>>
>> [0]
>> https://lists.xenproject.org/archives/html/xen-devel/2017-03/msg00869.html
>>
>>
>> ___
>> Xen-devel mailing list
>> Xen-devel@lists.xen.org
>> https://lists.xen.org/xen-devel
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
Re: [Xen-devel] Mapping active GDT
On 03/11/2017 08:06 AM, Andrew Cooper wrote:
> On 11/03/2017 03:58, Boris Ostrovsky wrote:
>> On 03/10/2017 09:39 PM, Boris Ostrovsky wrote:
>>> I am looking into GDT remap series [0] which crashes PV guests and it
>>> seems that the problem lies in the fact that we cannot establish new
>>> mapping to an already existing GDT.
>>>
>>> The mapping is created by
>>>
>>> +static inline void setup_fixmap_gdt(int cpu)
>>> +{
>>> + __set_fixmap(get_cpu_gdt_ro_index(cpu),
>>> +__pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
>>> +}
>>>
>>> with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
>>>
>>> (XEN) mm.c:2570:d94v0 Bad type (saw 5401 != exp
>>> 7000) for mfn 1538fb (pfn 3e809)
>>> (XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
>>> (XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
>>> 8001538fb063 for l1e_owner=94, pg_owner=94
> The problem here is that you are trying to create a writeable mapping to
> the GDT frame.
>
> Allowing the guest writeable access would be a security hole, as it is
> trivial to escalate privilege under those circumstances.
Right, and I saw the same failure symptoms (hypervisor errors) even when
I replaced PAGE_KERNEL with PAGE_KERNEL_RO.
And then I realized that I was on a branch with other unrelated changes,
so I switched the branch and then things started to work. Thus my mea
culpa below.
-boris
>
> ~Andrew
>
>>> (after a small change to xen_set_fixmap(), which I think was missing)
>>>
>>> Before I try to come up with a fix I wanted to check here to see if this
>>> (not being able to map active GDT) is indeed the case.
>> Uhm.. Nevermind. The change in xen_set_fixmap() is probably sufficient.
>>
>> I was working with wrong branch ;-( Sorry for the noise.
>>
>> -boris
>>
>>> -boris
>>>
>>>
>>> [0]
>>> https://lists.xenproject.org/archives/html/xen-devel/2017-03/msg00869.html
>>>
>>>
>>> ___
>>> Xen-devel mailing list
>>> Xen-devel@lists.xen.org
>>> https://lists.xen.org/xen-devel
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
Re: [Xen-devel] Mapping active GDT
On Mon, Mar 13, 2017 at 6:09 AM, Boris Ostrovsky
wrote:
> On 03/11/2017 08:06 AM, Andrew Cooper wrote:
>> On 11/03/2017 03:58, Boris Ostrovsky wrote:
>>> On 03/10/2017 09:39 PM, Boris Ostrovsky wrote:
I am looking into GDT remap series [0] which crashes PV guests and it
seems that the problem lies in the fact that we cannot establish new
mapping to an already existing GDT.
The mapping is created by
+static inline void setup_fixmap_gdt(int cpu)
+{
+ __set_fixmap(get_cpu_gdt_ro_index(cpu),
+__pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
+}
with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
(XEN) mm.c:2570:d94v0 Bad type (saw 5401 != exp
7000) for mfn 1538fb (pfn 3e809)
(XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
(XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
8001538fb063 for l1e_owner=94, pg_owner=94
>> The problem here is that you are trying to create a writeable mapping to
>> the GDT frame.
>>
>> Allowing the guest writeable access would be a security hole, as it is
>> trivial to escalate privilege under those circumstances.
>
> Right, and I saw the same failure symptoms (hypervisor errors) even when
> I replaced PAGE_KERNEL with PAGE_KERNEL_RO.
>
> And then I realized that I was on a branch with other unrelated changes,
> so I switched the branch and then things started to work. Thus my mea
> culpa below.
>
So we are good? :) (Meaning I still need to push the fix for 32 bit
but that's it).
> -boris
>
>>
>> ~Andrew
>>
(after a small change to xen_set_fixmap(), which I think was missing)
Before I try to come up with a fix I wanted to check here to see if this
(not being able to map active GDT) is indeed the case.
>>> Uhm.. Nevermind. The change in xen_set_fixmap() is probably sufficient.
>>>
>>> I was working with wrong branch ;-( Sorry for the noise.
>>>
>>> -boris
>>>
-boris
[0]
https://lists.xenproject.org/archives/html/xen-devel/2017-03/msg00869.html
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
>
--
Thomas
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
Re: [Xen-devel] Mapping active GDT
On 03/13/2017 01:30 PM, Thomas Garnier wrote:
> On Mon, Mar 13, 2017 at 6:09 AM, Boris Ostrovsky
> wrote:
>> On 03/11/2017 08:06 AM, Andrew Cooper wrote:
>>> On 11/03/2017 03:58, Boris Ostrovsky wrote:
On 03/10/2017 09:39 PM, Boris Ostrovsky wrote:
> I am looking into GDT remap series [0] which crashes PV guests and it
> seems that the problem lies in the fact that we cannot establish new
> mapping to an already existing GDT.
>
> The mapping is created by
>
> +static inline void setup_fixmap_gdt(int cpu)
> +{
> + __set_fixmap(get_cpu_gdt_ro_index(cpu),
> +__pa(get_cpu_gdt_rw(cpu)), PAGE_KERNEL);
> +}
>
> with get_cpu_gdt_rw(cpu) being the current GDT pointer. This results in
>
> (XEN) mm.c:2570:d94v0 Bad type (saw 5401 != exp
> 7000) for mfn 1538fb (pfn 3e809)
> (XEN) mm.c:1022:d94v0 Could not get page type PGT_writable_page
> (XEN) mm.c:1074:d94v0 Error getting mfn 1538fb (pfn 3e809) from L1 entry
> 8001538fb063 for l1e_owner=94, pg_owner=94
>>> The problem here is that you are trying to create a writeable mapping to
>>> the GDT frame.
>>>
>>> Allowing the guest writeable access would be a security hole, as it is
>>> trivial to escalate privilege under those circumstances.
>> Right, and I saw the same failure symptoms (hypervisor errors) even when
>> I replaced PAGE_KERNEL with PAGE_KERNEL_RO.
>>
>> And then I realized that I was on a branch with other unrelated changes,
>> so I switched the branch and then things started to work. Thus my mea
>> culpa below.
>>
> So we are good? :) (Meaning I still need to push the fix for 32 bit
> but that's it).
>
No, it will need a few small changes. I am actually finishing the test
run (in the next hour or so) and will reply on the Linux thread.
-boris
___
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
Re: [Xen-devel] Mapping active GDT
On Mon, Mar 13, 2017 at 10:32 AM, Boris Ostrovsky wrote: > No, it will need a few small changes. I am actually finishing the test > run (in the next hour or so) and will reply on the Linux thread. > Great, thanks again! -- Thomas ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
