Thanks for pointing this fix Jan. It helped me a lot.
Best!
On Fri, Oct 8, 2021, 10:30 Jan Beulich wrote:
> On 07.10.2021 17:10, Charles Gonçalves wrote:
> > During some experiments in my PhD I've tried to reused a code from
> > Jann Horn (
> https://bugs.chromium.org/p/p
Hello Guys,
During some experiments in my PhD I've tried to reused a code from
Jann Horn (https://bugs.chromium.org/p/project-zero/issues/detail?id=1184
) that used the mapping in
```
0x8040 - 0x807f [256GB, 2^38 bytes, PML4:256]
Reserved for future shared info with the
Thanks @Jan Beulich
On Thu, Apr 29, 2021 at 10:35 AM Jan Beulich wrote:
> On 28.04.2021 20:49, Charles Gonçalves wrote:
> > Is there any difference between both?
> > I'm trying to debug an issue using a SOL but the host crashes before any
> > meaningful message.
>
Hello Guys,
Is there any difference between both?
I'm trying to debug an issue using a SOL but the host crashes before any
meaningful message.
The SOL is working properly when I can debug some crashes perfectly. But
for a specific case I'm wondering if I could be losing some messages.
On Tue, Apr 20, 2021 at 7:05 PM Andrew Cooper
wrote:
> On 20/04/2021 17:13, Charles Gonçalves wrote:
> > Hello Guys,
> >
> > I'm trying to reproduce old exploit behaviors in a simplistic way:
> > create an hypercall to write a buffer to a specific MFN.
> >
>
Hello Guys,
I'm trying to reproduce old exploit behaviors in a simplistic way: create
an hypercall to write a buffer to a specific MFN.
At first, I thought that updating an l1 page in a valid VA in guest kernel
space would do the trick.
But for addresses outside the Guest-defined use
Thanks @Andrew,
A LKM to dump the arch->p2m_vaddr solved the issue and answered my
questions!
Atenciosamente,
*Charles Ferreira Gonçalves *
On Fri, Apr 16, 2021 at 4:12 PM Andrew Cooper
wrote:
> On 16/04/2021 15:58, Charles Gonçalves wrote:
>
> Hello Guys,
>
> Does m
Hello Guys,
Does memory on Dom0 also mapped to gpfn or it is mapped directly to mfn?
If mapped to gpfn, how can I access its p2m mapping?
I'm trying to use the xen-mfndump but it is not working with dom0
./xen-mfndump dump-p2m 0
xc: error: Could not map the shared info frame (MFN 0xddfe9) (3
15:55, Charles Gonçalves wrote:
> > I've enabled the log_lvl=all guest_loglvl=all,
>
> The first one is mis-spelled and needs to be "loglvl=".
>
> > tried the xl debug-key +,
>
> If this didn't help, did you perhaps not do a debug build of Xen?
> Debug mess
Hello Guys,
I've enabled the log_lvl=all guest_loglvl=all, tried the xl debug-key +,
configured the build with
./configure --enable-debug
Do I miss something?
xl info
6:15
host : xendev
release:
:
> On 02/01/2021 19:20, Charles Gonçalves wrote:
> > Sure.
> >
> > The goal is to emulate a scenario where a compromised guest attacks
> > another
> > tenant in the same physical host reading/changing the memory content.
> > E.g., extract the RSA key.
> >
>
.
Effectively I'll be changing Xen's code (at least possible) to *emulate* a
vulnerability
(e.g., undo a patch).
Atenciosamente,
*Charles Ferreira Gonçalves *
On Sat, Jan 2, 2021 at 7:06 PM Andrew Cooper
wrote:
> On 02/01/2021 17:02, Charles Gonçalves wrote:
> > Hi,
> >
> > I'm
Hi,
I'm building some attack loads targeting Xen to my PhD and need to
identify the pages for a specific guest.
Assuming that I'm able to traverse the pages in memory, how do I identify a
guest (by ID or Name)?
The dom0 is easy since I can inspect the start_info looking for
SIF_INITDOMAIN but I
Hello,
I'm a Ph.D. candidate in UC (Portugal) working with Xen's vulnerability
discovery process, right now focusing on modeling, and I'd like to
understand the process before the disclosure (by XSA or CVE/NVD).
It would be nice to have a more precise date that traces a vulnerability
(XSA) to
@Andrew,
Despite SCHED_OP, that I've blacklisted, which one came to mind?
On Mon, May 7, 2018 at 5:13 AM Andrew Cooper
wrote:
> On 07/05/2018 08:09, Jan Beulich wrote:
> On 07.05.18 at 03:06, wrote:
> >> When I'm performing some
"That is, without (physical
or virtual, depending on component) serial console you're often unlikely to
actually observe any messages connected to the crash."
I do not have any experience with serial console interaction on linux.
Can you list some examples for both cases (virtual| physical), I'll
When I'm performing some hypercalls with some "unexpected" parameters
(robustness test) sometimes the guest is explicitly "killed" by xen
calling the domain_crash(), but sometimes the guest just crash without any
explicit message on dmesg or logs.
Are those "plain crashes" an expected behavior
Hello,
Im getting this Hypercall [op = 0x0040001a ] on xen trace but can't figure
out which operation this is.
Using old Xen 4.4.1.
Looking at documentation and also using grep into source code couldn't
figure out which hypercall this is.
Can someone help clarify this?
--
Atenciosamente,
18 matches
Mail list logo