WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] [XSM] Potential security vulnerability and inconsistency in

To: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] [XSM] Potential security vulnerability and inconsistency in evtchn_close and evtchn_reset
From: "Tan, Lin" <lintan2@xxxxxxxx>
Date: Mon, 28 Jan 2008 15:13:31 -0600
Accept-language: en-US
Acceptlanguage: en-US
Delivery-date: Mon, 28 Jan 2008 13:13:47 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Achh8qJwfVP1BAECSLS1holnCXP+tg==
Thread-topic: [Xen-devel] [XSM] Potential security vulnerability and inconsistency in evtchn_close and evtchn_reset
Hi All,

I found that evtchn_close() is not checked for authorization by xsm hooks in 
some cases.

There is xsm permission check before __evtchn_close() in evtchn_reset() as 
shown below:
785 static long evtchn_reset(evtchn_reset_t *r)
786 {
...
803     rc = xsm_evtchn_reset(current->domain, d);
804     if ( rc )
805         goto out;
806
807     for ( i = 0; port_is_valid(d, i); i++ )
808         (void)__evtchn_close(d, i);
...
}

However, there is no such xsm permission check before the __evtchn_close() 
called by evtchn_close() in do_event_channel_op() as below. I imagine, maybe 
there is no need to check if one can close itself, but it is probably still 
good to add a xsm hook inside evtchn_close() in case we decide to expand 
evtchn_close() to close other domains later. In addition, almost all other 
functions such as evtchn_send() and evtchn_status() put their xsm hooks inside 
themselves, it is more consistent to add a xsm_evtchn_close() hook in 
evtchn_close(). What do you think? Thanks.

818   long do_event_channel_op(int cmd, XEN_GUEST_HANDLE(void) arg) {
...
874     case EVTCHNOP_close: {
875         struct evtchn_close close;
876         if ( copy_from_guest(&close, arg, 1) != 0 )
877             return -EFAULT;
878         rc = evtchn_close(&close);
879         break;
...
}

469 static long evtchn_close(evtchn_close_t *close)
470 {
471     return __evtchn_close(current->domain, close->port);
472 }

Thanks,
Lin

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] [XSM] Potential security vulnerability and inconsistency in evtchn_close and evtchn_reset, Tan, Lin <=