To guarantee memory isolation, the intended region disjointness property should include two levels:
- Intra-zone disjointness: memory regions within the same zone should not overlap.
- Inter-zone disjointness: physical memory regions assigned to one zone should not overlap with physical memory regions assigned to other zones (at least for private RAM regions).
However, from the current implementation, the overlap check in MemorySet::test_free_area() appears to only validate regions within the same MemorySet:
fn test_free_area(&self, other: &MemoryRegion<PT::VA>) -> bool {
if let Some((_, before)) = self.regions.range(..other.start).last() {
if before.is_overlap_with(other) {
return false;
}
}
if let Some((_, after)) = self.regions.range(other.start..).next() {
if after.is_overlap_with(other) {
return false;
}
}
true
}Since each zone maintains its own MemorySet, this seems sufficient to guarantee Intra-zone disjointness, but it does not by itself guarantee Inter-zone disjointness.
If no additional validation is performed elsewhere during zone creation or config loading, then two zones may be configured with overlapping physical memory regions. In that case, both zones could map the same physical pages, which may break zone isolation and lead to unexpected behavior or security issues.
To guarantee memory isolation, the intended region disjointness property should include two levels:
However, from the current implementation, the overlap check in
MemorySet::test_free_area()appears to only validate regions within the sameMemorySet:Since each zone maintains its own
MemorySet, this seems sufficient to guarantee Intra-zone disjointness, but it does not by itself guarantee Inter-zone disjointness.If no additional validation is performed elsewhere during zone creation or config loading, then two zones may be configured with overlapping physical memory regions. In that case, both zones could map the same physical pages, which may break zone isolation and lead to unexpected behavior or security issues.