>>> On 02.11.16 at 11:22, <dario.faggi...@citrix.com> wrote: > 3) Is there any information leakage? > > The only information which the scheduler exposes to unprivileged > guests is the timing information. This may be able to be used for > side-channel attacks to probabilistically infer things about other > vcpus running on the same system; but this has not traditionally > been considered within the security boundary. And, again, this is > possible with all schedulers. > > The control domain can issue DOMCTL_SCHEDOP and SYSCTL_SCHEDOP > hypercalls. Auditing such code, nothing that looks like a security > risk has been found (E.g., there's no risk of leaking content of > the hypervisor stack, as no buffer/local variables is returned).
There certainly are buffers being returned here. Namely in the credit2 case there's also a 32-bit padding field in the domctl interface structure (and uniformly for all schedulers there's one in the sysctl structure), which provides the fundamental means to leak stack data. However, none of this is a problem, both because iirc leaking stack data to Dom0 is not really considered a security issue, and because of the way the structures get dealt with. Nevertheless I think the above paragraph should be re-worded. Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
