Re: [Xen-devel] [PATCH 4/4] xen: select grant interface version

From: Andrew Cooper
Date: Tue Sep 12 2017 - 14:54:36 EST


On 08/09/17 15:48, Juergen Gross wrote:
> static void gnttab_request_version(void)
> {
> - int rc;
> + long rc;
> struct gnttab_set_version gsv;
>
> - gsv.version = 1;
> + rc = HYPERVISOR_memory_op(XENMEM_maximum_ram_page, NULL);

This hypercall is information leak and layering violation. Please can
we avoid adding more dependence on its presence? (I'm got a
proto-series which strips various corners off the hypervisor for attack
surface reduction purposes, and this hypercall is one victim which is
restricted to privileged domains only.)

For translated guests, it is definitely not the right number to check.
What matters is the maximum frame inside the translated guest, not on
the host.

For PV guests, I'm not sure what to suggest, but the result of
XENMEM_maximum_ram_page isn't applicable. Xen's max_page can increase
at runtime through memory hotplug, after which ballooning operations can
leave Linux with a frame it wishes to grant which exceeds the limit
calculated here.

The more I look into this, the more of a mess it turns out to be.

~Andrew

> + if (rc < 0 || !(rc >> 32))
> + gsv.version = 1;
> + else
> + gsv.version = 2;
> + if (xen_gnttab_version >= 1 && xen_gnttab_version <= 2)
> + gsv.version = xen_gnttab_version;
>
> rc = HYPERVISOR_grant_table_op(GNTTABOP_set_version, &gsv, 1);
> if (rc == 0 && gsv.version == 2)