WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] PATCH: Allow domains to share instruction pages with eac

from [Keir Fraser] [Permanent Link][Original]
To: Michael Abd-El-Malek <mabdelm@xxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-devel] PATCH: Allow domains to share instruction pages with each other
From: Keir Fraser <keir.fraser@xxxxxxxxxxxxx>
Date: Sat, 10 Jan 2009 09:22:24 +0000
Cc:
Delivery-date: Sat, 10 Jan 2009 01:22:52 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <FFE887B5-AEDF-4AF6-BB2B-15CCE02506A2@xxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AclzBPJcrplqft+ngUuanR8jXdl5cA==
Thread-topic: [Xen-devel] PATCH: Allow domains to share instruction pages with each other
User-agent: Microsoft-Entourage/12.15.0.081119 
On 10/01/2009 01:08, "Michael Abd-El-Malek" <mabdelm@xxxxxxxxxxx> wrote:

> Allow domains to share instruction pages with each other.
> 
> Xen changeset 4ec25db9326a (Nov 3, 2008) set the NX page bit on pages
> shared between domains.  That broke my ability to execute a binary
> whose pages are mapped from another domain.
> 
> My fix: I removed the NX page flag.  I don't see a security problem
> with this: if domain A maps a page from domain B, it somehow trusts
> it, and can do any additional checks after the page is mapped.  But
> absolutely disallowing execution of instructions from a mapped page
> seems a little too strict.

I think NX as default is pretty sensible. If you want to be able to make
executable shared mappings via grants, how about we add a flag
GNTMAP_executable to gnttab_map_grant_ref? You can use that in
create_grant_host_mapping() to zap _PAGE_NX.

If that works for you, feel free to make a patch.

 -- Keir



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] Source Code Help, Furquan Shaikh
Next by Date:  [Xen-devel] testing 32bit PAE pv_ops dom0..., Marc - A. Dahlhaus
Previous by Thread:  [Xen-devel] PATCH: Allow domains to share instruction pages with each other, Michael Abd-El-Malek
Next by Thread:  [Xen-devel] testing 32bit PAE pv_ops dom0..., Marc - A. Dahlhaus
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy