hey @tehjh/@pwnallthethings, question from a dumb person (me): is there anything intrinsically useful from an exploitation perspective (e.g. rop) about the xen hypercall_page (typically statically mapped into guest linux kernel memory at 0xffffffff81001000)?
I never looked into it. Where does that address come from? From a coarse look at the Linux kernel, it looks like it allocates its own hypercall page in the text section, and then asks Xen to fill it using either a Xen-specific fake MSR or XEN_ELFNOTE_HYPERCALL_PAGE?
-
-
I assume you're talking about some legacy behavior that comes from dom0 userspace, with something like XEN_DOMCTL_hypercall_init?
-
it may vary a bit on how it's mapped, b/c if you set a HYPERCALL_PAGE=<page#> string in the .__xen_guest section of the raw machine image elf, xen maps it into the guest on its own. the page is basically a bunch of function stubs to do hypercalls (so like set rax; syscall on pv).
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.