> -----Original Message----- > From: Jan Beulich [mailto:jbeul...@suse.com] > Sent: 12 December 2017 13:25 > To: Paul Durrant <paul.durr...@citrix.com> > Cc: Andrew Cooper <andrew.coop...@citrix.com>; Wei Liu > <wei.l...@citrix.com>; George Dunlap <george.dun...@citrix.com>; Ian > Jackson <ian.jack...@citrix.com>; Stefano Stabellini > <sstabell...@kernel.org>; xen-devel@lists.xenproject.org; Tim (Xen.org) > <t...@xen.org> > Subject: Re: [PATCH v14 07/11] x86/mm: add an extra command to > HYPERVISOR_mmu_update... > > >>> On 28.11.17 at 16:08, <paul.durr...@citrix.com> wrote: > > @@ -1905,7 +1906,8 @@ static int mod_l1_entry(l1_pgentry_t *pl1e, > l1_pgentry_t nl1e, > > } > > > > /* Translate foreign guest address. */ > > - if ( paging_mode_translate(pg_dom) ) > > + if ( cmd != MMU_PT_UPDATE_NO_TRANSLATE && > > + paging_mode_translate(pg_dom) ) > > { > > p2m_type_t p2mt; > > p2m_query_t q = l1e_get_flags(nl1e) & _PAGE_RW ? > > Now that they're public - it was this change which led to the > recognition of the issue XSA-248 describes (which in turn led to the > other three). Without the fix for XSA-248 you'd have introduced a > worse issue here, allowing writable mappings of page table pages > rather than just r/o ones (leading to hypervisor crashes). > > Especially with the bypass of acquiring a writable page ref in > get_page_from_l1e() for domains controlling shadow-external > domains we need to be extremely careful with assigning page > ownership. Before this series goes in I'd therefor like to ask you and > others (especially people on the Cc list) to double check that the > bypass introduced above doesn't allow for other (security) badness. > I think I've sufficiently convinced myself that it doesn't, but this > clearly wants double checking. >
Ok. I'll have another look. Paul > Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel