Re: PV - different behavior of pgd_offset in xen 4.6 and 4.13 for GUEST ACCESSIBLE memory area

2021-10-08 Thread Charles Gonçalves
Thanks for pointing this fix Jan. It helped me a lot. Best! On Fri, Oct 8, 2021, 10:30 Jan Beulich wrote: > On 07.10.2021 17:10, Charles Gonçalves wrote: > > During some experiments in my PhD I've tried to reused a code from > > Jann Horn ( > https://bugs.chromium.org/p/p

PV - different behavior of pgd_offset in xen 4.6 and 4.13 for GUEST ACCESSIBLE memory area

2021-10-07 Thread Charles Gonçalves
Hello Guys, During some experiments in my PhD I've tried to reused a code from Jann Horn (https://bugs.chromium.org/p/project-zero/issues/detail?id=1184 ) that used the mapping in ``` 0x8040 - 0x807f [256GB, 2^38 bytes, PML4:256] Reserved for future shared info with the

Re: Serial Console : SOL vs Physical Port

2021-04-29 Thread Charles Gonçalves
Thanks @Jan Beulich On Thu, Apr 29, 2021 at 10:35 AM Jan Beulich wrote: > On 28.04.2021 20:49, Charles Gonçalves wrote: > > Is there any difference between both? > > I'm trying to debug an issue using a SOL but the host crashes before any > > meaningful message. >

Serial Console : SOL vs Physical Port

2021-04-28 Thread Charles Gonçalves
Hello Guys, Is there any difference between both? I'm trying to debug an issue using a SOL but the host crashes before any meaningful message. The SOL is working properly when I can debug some crashes perfectly. But for a specific case I'm wondering if I could be losing some messages.

Re: Writing to arbritary cannonical addresses

2021-04-20 Thread Charles Gonçalves
On Tue, Apr 20, 2021 at 7:05 PM Andrew Cooper wrote: > On 20/04/2021 17:13, Charles Gonçalves wrote: > > Hello Guys, > > > > I'm trying to reproduce old exploit behaviors in a simplistic way: > > create an hypercall to write a buffer to a specific MFN. > > >

Writing to arbritary cannonical addresses

2021-04-20 Thread Charles Gonçalves
Hello Guys, I'm trying to reproduce old exploit behaviors in a simplistic way: create an hypercall to write a buffer to a specific MFN. At first, I thought that updating an l1 page in a valid VA in guest kernel space would do the trick. But for addresses outside the Guest-defined use

Re: Memory Layout on Dom0 in PV

2021-04-16 Thread Charles Gonçalves
Thanks @Andrew, A LKM to dump the arch->p2m_vaddr solved the issue and answered my questions! Atenciosamente, *Charles Ferreira Gonçalves * On Fri, Apr 16, 2021 at 4:12 PM Andrew Cooper wrote: > On 16/04/2021 15:58, Charles Gonçalves wrote: > > Hello Guys, > > Does m

Memory Layout on Dom0 in PV

2021-04-16 Thread Charles Gonçalves
Hello Guys, Does memory on Dom0 also mapped to gpfn or it is mapped directly to mfn? If mapped to gpfn, how can I access its p2m mapping? I'm trying to use the xen-mfndump but it is not working with dom0 ./xen-mfndump dump-p2m 0 xc: error: Could not map the shared info frame (MFN 0xddfe9) (3

Re: Failed to enable debug messages in xen 4.13

2021-04-15 Thread Charles Gonçalves
15:55, Charles Gonçalves wrote: > > I've enabled the log_lvl=all guest_loglvl=all, > > The first one is mis-spelled and needs to be "loglvl=". > > > tried the xl debug-key +, > > If this didn't help, did you perhaps not do a debug build of Xen? > Debug mess

Failed to enable debug messages in xen 4.13

2021-04-15 Thread Charles Gonçalves
Hello Guys, I've enabled the log_lvl=all guest_loglvl=all, tried the xl debug-key +, configured the build with ./configure --enable-debug Do I miss something? xl info 6:15 host : xendev release:

Re: Identify an specific DomU inpecting all pages in memory

2021-01-05 Thread Charles Gonçalves
: > On 02/01/2021 19:20, Charles Gonçalves wrote: > > Sure. > > > > The goal is to emulate a scenario where a compromised guest attacks > > another > > tenant in the same physical host reading/changing the memory content. > > E.g., extract the RSA key. > > >

Re: Identify an specific DomU inpecting all pages in memory

2021-01-02 Thread Charles Gonçalves
. Effectively I'll be changing Xen's code (at least possible) to *emulate* a vulnerability (e.g., undo a patch). Atenciosamente, *Charles Ferreira Gonçalves * On Sat, Jan 2, 2021 at 7:06 PM Andrew Cooper wrote: > On 02/01/2021 17:02, Charles Gonçalves wrote: > > Hi, > > > > I'm

Identify an specific DomU inpecting all pages in memory

2021-01-02 Thread Charles Gonçalves
Hi, I'm building some attack loads targeting Xen to my PhD and need to identify the pages for a specific guest. Assuming that I'm able to traverse the pages in memory, how do I identify a guest (by ID or Name)? The dom0 is easy since I can inspect the start_info looking for SIF_INITDOMAIN but I

[Xen-devel] Vulnerability disclosure vs discovery

2020-03-25 Thread Charles Gonçalves
Hello, I'm a Ph.D. candidate in UC (Portugal) working with Xen's vulnerability discovery process, right now focusing on modeling, and I'd like to understand the process before the disclosure (by XSA or CVE/NVD). It would be nice to have a more precise date that traces a vulnerability (XSA) to

Re: [Xen-devel] domain_crash_sync vs "plain crash"

2018-05-11 Thread Charles Gonçalves
@Andrew, Despite SCHED_OP, that I've blacklisted, which one came to mind? On Mon, May 7, 2018 at 5:13 AM Andrew Cooper wrote: > On 07/05/2018 08:09, Jan Beulich wrote: > On 07.05.18 at 03:06, wrote: > >> When I'm performing some

Re: [Xen-devel] domain_crash_sync vs "plain crash"

2018-05-11 Thread Charles Gonçalves
"That is, without (physical or virtual, depending on component) serial console you're often unlikely to actually observe any messages connected to the crash." I do not have any experience with serial console interaction on linux. Can you list some examples for both cases (virtual| physical), I'll

[Xen-devel] domain_crash_sync vs "plain crash"

2018-05-06 Thread Charles Gonçalves
When I'm performing some hypercalls with some "unexpected" parameters (robustness test) sometimes the guest is explicitly "killed" by xen calling the domain_crash(), but sometimes the guest just crash without any explicit message on dmesg or logs. Are those "plain crashes" an expected behavior

[Xen-devel] Getting Hypercall [op = 0x0040001a ] on trace 

2018-02-19 Thread Charles Gonçalves
Hello, Im getting this Hypercall [op = 0x0040001a ] on xen trace but can't figure out which operation this is. Using old Xen 4.4.1. Looking at documentation and also using grep into source code couldn't figure out which hypercall this is. Can someone help clarify this? -- Atenciosamente,