[PATCH 0/8] xen: harden frontends against malicious backends

From: Juergen Gross
Date: Thu May 13 2021 - 06:03:37 EST


Xen backends of para-virtualized devices can live in dom0 kernel, dom0
user land, or in a driver domain. This means that a backend might
reside in a less trusted environment than the Xen core components, so
a backend should not be able to do harm to a Xen guest (it can still
mess up I/O data, but it shouldn't be able to e.g. crash a guest by
other means or cause a privilege escalation in the guest).

Unfortunately many frontends in the Linux kernel are fully trusting
their respective backends. This series is starting to fix the most
important frontends: console, disk and network.

It was discussed to handle this as a security problem, but the topic
was discussed in public before, so it isn't a real secret.

Juergen Gross (8):
xen: sync include/xen/interface/io/ring.h with Xen's newest version
xen/blkfront: read response from backend only once
xen/blkfront: don't take local copy of a request from the ring page
xen/blkfront: don't trust the backend response data blindly
xen/netfront: read response from backend only once
xen/netfront: don't read data from request on the ring page
xen/netfront: don't trust the backend response data blindly
xen/hvc: replace BUG_ON() with negative return value

drivers/block/xen-blkfront.c | 118 +++++++++-----
drivers/net/xen-netfront.c | 184 ++++++++++++++-------
drivers/tty/hvc/hvc_xen.c | 15 +-
include/xen/interface/io/ring.h | 278 ++++++++++++++++++--------------
4 files changed, 369 insertions(+), 226 deletions(-)

--
2.26.2