Hi,

While I was looking at some unrelated problem with Xen ARM P2M code, I noticed that the function update_runstate_area is using guest virtual address to update the vCPU runstate. That function will be called when context switch to a vCPU. However, that vCPU may run in userspace context. When KPTI (kernel page table isolation) is used,


In the best case, that address is not mapped into the page-table currently used. Xen will not be able to update the region.

In the worst case, that address is mapped to a different region and Xen will corrupt some bits of the memory.

The code looks fundamentally wrong on Arm, I am entirely not sure about x86.

It look like to me that Xen should always use the guest physical address and therefore translate the virtual address to a physical one in VCPUOP_register_runstate_memory_area. So only the physical address will be used in update_runstate_area making the function much safer.

Any opinion on this approach?

Cheers,

--
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Reply via email to