Getting ranges of valid guest physical memory address

KVM-VMI / kvm

Fork of KVM with Virtual Machine Introspection patches

Other

33 stars 28 forks source link

Getting ranges of valid guest physical memory address #23

Open kylerky opened 4 years ago

kylerky commented 4 years ago

Is there any way to know which guest physical memory addresses are valid for KVMI_READ_PHYSICAL and KVMI_WRITE_PHYSICAL?

As far as I can see, KVMI_GET_MAX_GFN gives the largest physical memory address , say max_addr (max_gfn << 12), used by the guest. But I found that I could get an error code -22 from KVM when I am reading from some addresses smaller than max_addr. I suspect that this is because those addresses are not mapped by the KVM.

Currently, KVMI_READ_PHYSICAL returns error code -22 when reading from invalid addresses and the socket will be closed by KVM, which is not convenient when I try to scan the whole memory of the guest.

Given that there is no way to get ranges of valid guest memory address, I think a better way is not to close the socket when reading from invalid addresses.

mtarral commented 4 years ago

ping @adlazar, @mdontu

mdontu commented 4 years ago

@kylerky You are correct and I think the current behaviour is the result of a bug. The API documentation indicates that the connection is closed on communication errors, however the calls themselves should be allowed to fail and some do indeed (the memory mapping ones come to mind). I will revise the behaviour with @adlazar.

adlazar commented 4 years ago

I can't reproduce it unless the gpa/size pair is not valid. We use the following function to validate:

static bool invalid_page_access(u64 gpa, u64 size)
{
    u64 off = gpa & ~PAGE_MASK;

    return (size == 0 || size > PAGE_SIZE || off + size > PAGE_SIZE);
}

Should we return an error code (as a command reply) instead for this case too?

There is also a bug when you try to read a whole page, becauseKVMI_MSG_SIZE is too small. I'll try to create a pull request for this.

kylerky commented 4 years ago

Should we return an error code (as a command reply) instead for this case too?

I think so.

There is also a bug when you try to read a whole page, becauseKVMI_MSG_SIZE is too small. I'll try to create a pull request for this.

That is what I was doing. I was reading the memory in 4KB chunks when the socket was closed. This does not happen with all the 4KB reads though, just some of them.

adlazar commented 4 years ago

https://github.com/KVM-VMI/kvm/pull/25 should fix the issue related to KVMI_MSG_SIZE

adlazar commented 4 years ago

Should we return an error code (as a command reply) instead for this case too?

I think so.

So, returning EINVAL when the gpa/pair is not valid and ENOENT when the page is not mapped sounds good ?

kylerky commented 4 years ago

So, returning EINVAL when the gpa/pair is not valid and ENOENT when the page is not mapped sounds good ?

Good. It is helpful that we can distinguish between the two kinds of errors.

adlazar commented 4 years ago

I'll queue this change for the next version, because I don't think you need it right now. You still have to use arguments that pass the validation tests in order to see if the page is mapped or not. Right? #25 will allow you to read a whole page.