hey @tehjh/@pwnallthethings, question from a dumb person (me): is there anything intrinsically useful from an exploitation perspective (e.g. rop) about the xen hypercall_page (typically statically mapped into guest linux kernel memory at 0xffffffff81001000)?
I assume you're talking about some legacy behavior that comes from dom0 userspace, with something like XEN_DOMCTL_hypercall_init?
-
-
it may vary a bit on how it's mapped, b/c if you set a HYPERCALL_PAGE=<page#> string in the .__xen_guest section of the raw machine image elf, xen maps it into the guest on its own. the page is basically a bunch of function stubs to do hypercalls (so like set rax; syscall on pv).
-
also, that would be a chicken and egg problem, no? unless linux hardcoded the hypercall table, it would need to already be given the hypercall (table) page by xen, otherwise it wouldn't be able to make the hypercall to request that xen map the hypercall page.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.