feat(memory): removed guard pages

Now guest memory does not have guard pages to each side of the memory regions. Initially guard pages were added as a defence mechanism to prevent guest or firecracker from accessing guest memory outside of allocated memory. Main concern was the possibility of a bug in the device emulation, that can lead to the security issue. As of right now firecracker creates guest memory backed by memfd and utilizes different forms of verification and other defence in depth mechanisms such as jailing. Additionally guard pages do not provide a generic defence mechanism. Signed-off-by: Egor Lazarchuk <[email protected]>
firecracker-microvm · Oct 20, 2023 · 71cf036 · 71cf036
1 parent 54caed2
commit 71cf036
Show file tree

Hide file tree

Showing 9 changed files with 29 additions and 339 deletions.
diff --git a/src/vmm/src/arch/x86_64/mptable.rs b/src/vmm/src/arch/x86_64/mptable.rs
@@ -306,7 +306,7 @@ mod tests {
     #[test]
     fn bounds_check() {
         let num_cpus = 4;
-        let mem = GuestMemoryMmap::from_raw_regions_unguarded(
+        let mem = GuestMemoryMmap::from_raw_regions(
             &[(GuestAddress(MPTABLE_START), compute_mp_size(num_cpus))],
             false,
         )
@@ -318,7 +318,7 @@ mod tests {
     #[test]
     fn bounds_check_fails() {
         let num_cpus = 4;
-        let mem = GuestMemoryMmap::from_raw_regions_unguarded(
+        let mem = GuestMemoryMmap::from_raw_regions(
             &[(GuestAddress(MPTABLE_START), compute_mp_size(num_cpus) - 1)],
             false,
         )
@@ -330,7 +330,7 @@ mod tests {
     #[test]
     fn mpf_intel_checksum() {
         let num_cpus = 1;
-        let mem = GuestMemoryMmap::from_raw_regions_unguarded(
+        let mem = GuestMemoryMmap::from_raw_regions(
             &[(GuestAddress(MPTABLE_START), compute_mp_size(num_cpus))],
             false,
         )
@@ -346,7 +346,7 @@ mod tests {
     #[test]
     fn mpc_table_checksum() {
         let num_cpus = 4;
-        let mem = GuestMemoryMmap::from_raw_regions_unguarded(
+        let mem = GuestMemoryMmap::from_raw_regions(
             &[(GuestAddress(MPTABLE_START), compute_mp_size(num_cpus))],
             false,
         )
@@ -371,7 +371,7 @@ mod tests {
 
     #[test]
     fn cpu_entry_count() {
-        let mem = GuestMemoryMmap::from_raw_regions_unguarded(
+        let mem = GuestMemoryMmap::from_raw_regions(
             &[(
                 GuestAddress(MPTABLE_START),
                 compute_mp_size(MAX_SUPPORTED_CPUS),
@@ -409,7 +409,7 @@ mod tests {
     #[test]
     fn cpu_entry_count_max() {
         let cpus = MAX_SUPPORTED_CPUS + 1;
-        let mem = GuestMemoryMmap::from_raw_regions_unguarded(
+        let mem = GuestMemoryMmap::from_raw_regions(
             &[(GuestAddress(MPTABLE_START), compute_mp_size(cpus))],
             false,
         )

diff --git a/src/vmm/src/arch/x86_64/regs.rs b/src/vmm/src/arch/x86_64/regs.rs
@@ -247,12 +247,7 @@ mod tests {
     fn create_guest_mem(mem_size: Option<u64>) -> GuestMemoryMmap {
         let page_size = 0x10000usize;
         let mem_size = u64_to_usize(mem_size.unwrap_or(page_size as u64));
-        if mem_size % page_size == 0 {
-            GuestMemoryMmap::from_raw_regions(&[(GuestAddress(0), mem_size)], false).unwrap()
-        } else {
-            GuestMemoryMmap::from_raw_regions_unguarded(&[(GuestAddress(0), mem_size)], false)
-                .unwrap()
-        }
+        GuestMemoryMmap::from_raw_regions(&[(GuestAddress(0), mem_size)], false).unwrap()
     }
 
     fn read_u64(gm: &GuestMemoryMmap, offset: u64) -> u64 {

diff --git a/src/vmm/src/builder.rs b/src/vmm/src/builder.rs
@@ -1214,7 +1214,7 @@ pub mod tests {
     }
 
     fn create_guest_mem_at(at: GuestAddress, size: usize) -> GuestMemoryMmap {
-        GuestMemoryMmap::from_raw_regions_unguarded(&[(at, size)], false).unwrap()
+        GuestMemoryMmap::from_raw_regions(&[(at, size)], false).unwrap()
     }
 
     pub(crate) fn create_guest_mem_with_size(size: usize) -> GuestMemoryMmap {

diff --git a/src/vmm/src/devices/virtio/balloon/device.rs b/src/vmm/src/devices/virtio/balloon/device.rs
@@ -1134,8 +1134,7 @@ pub(crate) mod tests {
         assert!(balloon.update_size(1).is_err());
         // Switch the state to active.
         balloon.device_state = DeviceState::Activated(
-            GuestMemoryMmap::from_raw_regions_unguarded(&[(GuestAddress(0x0), 0x1)], false)
-                .unwrap(),
+            GuestMemoryMmap::from_raw_regions(&[(GuestAddress(0x0), 0x1)], false).unwrap(),
         );
 
         assert_eq!(balloon.num_pages(), 0);

diff --git a/src/vmm/src/devices/virtio/net/test_utils.rs b/src/vmm/src/devices/virtio/net/test_utils.rs
@@ -396,11 +396,9 @@ pub mod test {
         pub fn get_default() -> TestHelper<'a> {
             let mut event_manager = EventManager::new().unwrap();
             let mut net = default_net();
-            let mem = GuestMemoryMmap::from_raw_regions_unguarded(
-                &[(GuestAddress(0), MAX_BUFFER_SIZE)],
-                false,
-            )
-            .unwrap();
+            let mem =
+                GuestMemoryMmap::from_raw_regions(&[(GuestAddress(0), MAX_BUFFER_SIZE)], false)
+                    .unwrap();
             // transmute mem_ref lifetime to 'a
             let mem_ref = unsafe { mem::transmute::<&GuestMemoryMmap, &'a GuestMemoryMmap>(&mem) };
 

diff --git a/src/vmm/src/devices/virtio/test_utils.rs b/src/vmm/src/devices/virtio/test_utils.rs
@@ -25,7 +25,7 @@ macro_rules! check_metric_after_block {
 /// Creates a [`GuestMemoryMmap`] with a single region of the given size starting at guest physical
 /// address 0
 pub fn single_region_mem(region_size: usize) -> GuestMemoryMmap {
-    GuestMemoryMmap::from_raw_regions_unguarded(&[(GuestAddress(0), region_size)], false).unwrap()
+    GuestMemoryMmap::from_raw_regions(&[(GuestAddress(0), region_size)], false).unwrap()
 }
 
 /// Creates a [`GuestMemoryMmap`] with a single region  of size 65536 (= 0x10000 hex) starting at
@@ -331,8 +331,7 @@ pub(crate) mod test {
     use crate::vstate::memory::{Address, GuestAddress, GuestMemoryExtension, GuestMemoryMmap};
 
     pub fn create_virtio_mem() -> GuestMemoryMmap {
-        GuestMemoryMmap::from_raw_regions_unguarded(&[(GuestAddress(0), MAX_BUFFER_SIZE)], false)
-            .unwrap()
+        GuestMemoryMmap::from_raw_regions(&[(GuestAddress(0), MAX_BUFFER_SIZE)], false).unwrap()
     }
 
     /// Provides functionality necessary for testing a VirtIO device with

diff --git a/src/vmm/src/devices/virtio/vsock/packet.rs b/src/vmm/src/devices/virtio/vsock/packet.rs
@@ -760,7 +760,7 @@ mod tests {
     fn test_check_bounds_for_buffer_access_edge_cases() {
         let mut test_ctx = TestContext::new();
 
-        test_ctx.mem = GuestMemoryMmap::from_raw_regions_unguarded(
+        test_ctx.mem = GuestMemoryMmap::from_raw_regions(
             &[
                 (GuestAddress(0), 500),
                 (GuestAddress(500), 100),