This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-bugs] [Bug 1162] New: [XSM] Potential security vulnerability and in

To: xen-bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-bugs] [Bug 1162] New: [XSM] Potential security vulnerability and inconsistency in evtchn_close and evtchn_reset
From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
Date: Sun, 3 Feb 2008 10:47:30 -0800
Delivery-date: Sun, 03 Feb 2008 10:47:40 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-bugs-request@lists.xensource.com?subject=help>
List-id: Xen Bugzilla <xen-bugs.lists.xensource.com>
List-post: <mailto:xen-bugs@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=unsubscribe>
Reply-to: bugs@xxxxxxxxxxxxxxxxxx
Sender: xen-bugs-bounces@xxxxxxxxxxxxxxxxxxx

           Summary: [XSM] Potential security vulnerability and inconsistency
                    in evtchn_close and evtchn_reset
           Product: Xen
           Version: unstable
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Hypervisor
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: tammy000@xxxxxxxxx

I found that evtchn_close() is not checked for authorization by xsm hooks in
some cases.

There is xsm permission check before __evtchn_close() in evtchn_reset() as
shown below:
785 static long evtchn_reset(evtchn_reset_t *r)
786 {
803     rc = xsm_evtchn_reset(current->domain, d);
804     if ( rc )
805         goto out;
807     for ( i = 0; port_is_valid(d, i); i++ )
808         (void)__evtchn_close(d, i);

However, there is no such xsm permission check before the __evtchn_close()
called by evtchn_close() in do_event_channel_op() as below. I imagine, maybe
there is no need to check if one can close itself, but it is probably still
good to add a xsm hook inside evtchn_close() in case we decide to expand
evtchn_close() to close other domains later. In addition, almost all other
functions such as evtchn_send() and evtchn_status() put their xsm hooks inside
themselves, it is more consistent to add a xsm_evtchn_close() hook in
evtchn_close(). What do you think? Thanks.

818   long do_event_channel_op(int cmd, XEN_GUEST_HANDLE(void) arg) {
874     case EVTCHNOP_close: {
875         struct evtchn_close close;
876         if ( copy_from_guest(&close, arg, 1) != 0 )
877             return -EFAULT;
878         rc = evtchn_close(&close);
879         break;

469 static long evtchn_close(evtchn_close_t *close) 470 {
471     return __evtchn_close(current->domain, close->port);
472 }


Configure bugmail: 
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Xen-bugs mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-bugs] [Bug 1162] New: [XSM] Potential security vulnerability and inconsistency in evtchn_close and evtchn_reset, bugzilla-daemon <=