Hi Jan,
On 16/06/2025 08:35, Jan Beulich wrote:
On 16.06.2025 08:56, Michal Orzel wrote:
Fix the condition part of the for loop in p2m_invalidate_root() that
uses P2M_ROOT_LEVEL instead of P2M_ROOT_PAGES. The goal here is to
invalidate all root page tables (that can be concatenated), so the loop
must iterate through all these pages. Root level can be 0 or 1, whereas
there can be 1,2,8,16 root pages. The issue may lead to some pages
not being invalidated and therefore the guest access won't be trapped.
We use it to track pages accessed by guest for set/way emulation provided
no IOMMU, IOMMU not enabled for the domain or P2M not shared with IOMMU.
IOW no security concerns?
Copying/pasting what I wrote on the security channel for the record.
(This was sent after you asked on xen-devel, sorry I should have done it
before hand):
We both looked at the code and concluded that it is guarantreed that
P2M_ROOT_PAGES >= P2M_ROOT_LEVEL. This means the only issue is an under
invalidation. The logic is only used for the benefit of invalidating the
guest memory when using cache flush by set/way. Because of the issue,
the guest we may not clean & invalidate some RAM belonging to itself. We
also don't rely on the p2m_invalidate_root() to ensure any scrubbed
pages content have reached memory. So any under invalidation will only
impact the guest.
Hence why we concluded it wasn't a security issue.
Cheers,
--
Julien Grall
