Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libvmmapi: Map the guest physical address space with PROT_CAP #2274

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

markjdb
Copy link
Contributor

@markjdb markjdb commented Dec 19, 2024

No description provided.

lib/libvmmapi/vmmapi.c Outdated Show resolved Hide resolved
@@ -415,7 +415,7 @@ setup_memory_segment(struct vmctx *ctx, vm_paddr_t gpa, size_t len, char *base)
flags |= MAP_NOCORE;

/* mmap into the process address space on the host */
ptr = mmap(base + gpa, len, PROT_RW, flags, ctx->fd, gpa);
ptr = mmap(base + gpa, len, PROT_RW | PROT_CAP, flags, ctx->fd, gpa);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I probably broke this in d2f37a3. With this change we generally don't add capability permissions to non-anonymous mappings.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be clear, this is the intended behaviour?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it probably is. I think we probably believe that MAP_SHARED file mappings that need capability permissions will be sufficiently rare that requiring an explicit PROT_CAP is not a deal breaker in terms of compatibility.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MAP_SHARED mappings with should have to request PROT_CAP to ensure the developer means it as MAP_SHARED mappings in general present a way for capabilities to leak between address spaces where they may cause aliasing and temporal safety violations.

That does make me wonder if it's actually safe to sweep these mappings during revocation. If they only contain kernel pointers then it should be fine, but if they contain user pointers we might blow things up quite excitingly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I hadn't really considered that. This is a mapping of the guest physical address space, so I see no reason that we wouldn't encounter user pointers. We can't safely sweep this mapping, nor can we leave it alone with PROT_CAP set without breaking temporal safety within bhyve itself.

Since PROT_CAP is needed only for the gdb stub, at least so far, perhaps the solution is to ask the kernel to fetch the capability tag for us?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see an argument for requiring a system call to read the capability. Other users of this mapping (which basically exist to implement DMA) should be tag-oblivious and in particular, they should always clear tags on writes. Also, revocation would definitely blow up here and do bad things to the guest's address space.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll work on that. I was thinking of adding a vmmdev ioctl to handle this; do you think it makes sense to have a more generic syscall for this purpose.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It also avoids confused deputy attacks on the userspace part of the hypervisor by being able to inject capabilities via this mapping.

lib/libvmmapi/vmmapi.c Outdated Show resolved Hide resolved
This lets the gdb stub see capability tag bits; otherwise, they're cleared on
load and the debugger sees all capabilities as invalid.

Note that this enables the writing of capabilities to the GPA space as well.
@markjdb markjdb force-pushed the dev-libvmmapi-prot-cap branch from e84bc1d to ebb6b74 Compare December 20, 2024 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants