|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [IA64] Check privilege level for pal/sal/efi calls.
# HG changeset patch
# User awilliam@xxxxxxxxxxx
# Node ID 1dc45879fa5c925ef73eef76ab07a5b11e28e574
# Parent ccb437f2ed4e801cd7ecf2d87743b6d68ebe0d01
[IA64] Check privilege level for pal/sal/efi calls.
Previously a user was able to reset the machine.
Signed-off-by: Tristan Gingold <tristan.gingold@xxxxxxxx>
diff -r ccb437f2ed4e -r 1dc45879fa5c xen/arch/ia64/xen/hypercall.c
--- a/xen/arch/ia64/xen/hypercall.c Mon Mar 20 16:53:17 2006
+++ b/xen/arch/ia64/xen/hypercall.c Mon Mar 20 16:55:32 2006
@@ -66,13 +66,71 @@
(hypercall_t)do_ni_hypercall /* */
};
-int
-ia64_hypercall (struct pt_regs *regs)
+static int
+xen_hypercall (struct pt_regs *regs)
+{
+ switch (regs->r2) {
+ case __HYPERVISOR_dom0_op:
+ regs->r8 = do_dom0_op(guest_handle_from_ptr(regs->r14,
+ dom0_op_t));
+ break;
+
+ case __HYPERVISOR_memory_op:
+ /* we don't handle reservations; just return success */
+ {
+ struct xen_memory_reservation reservation;
+ void *arg = (void *) regs->r15;
+
+ switch(regs->r14) {
+ case XENMEM_increase_reservation:
+ case XENMEM_decrease_reservation:
+ if (copy_from_user(&reservation, arg,
+ sizeof(reservation)))
+ regs->r8 = -EFAULT;
+ else
+ regs->r8 = reservation.nr_extents;
+ break;
+ default:
+ regs->r8 = do_memory_op((int) regs->r14,
guest_handle_from_ptr(regs->r15, void));
+ break;
+ }
+ }
+ break;
+
+ case __HYPERVISOR_event_channel_op:
+ regs->r8 = do_event_channel_op(guest_handle_from_ptr(regs->r14,
evtchn_op_t));
+ break;
+
+ case __HYPERVISOR_grant_table_op:
+ regs->r8 = do_grant_table_op((unsigned int) regs->r14,
guest_handle_from_ptr(regs->r15, void), (unsigned int) regs->r16);
+ break;
+
+ case __HYPERVISOR_console_io:
+ regs->r8 = do_console_io((int) regs->r14, (int) regs->r15,
guest_handle_from_ptr(regs->r16, char));
+ break;
+
+ case __HYPERVISOR_xen_version:
+ regs->r8 = do_xen_version((int) regs->r14,
guest_handle_from_ptr(regs->r15, void));
+ break;
+
+ case __HYPERVISOR_multicall:
+ regs->r8 = do_multicall(guest_handle_from_ptr(regs->r14,
multicall_entry_t), (unsigned int) regs->r15);
+ break;
+
+ default:
+ printf("unknown xen hypercall %lx\n", regs->r2);
+ regs->r8 = do_ni_hypercall();
+ }
+ return 1;
+}
+
+
+static int
+fw_hypercall (struct pt_regs *regs)
{
struct vcpu *v = current;
struct sal_ret_values x;
unsigned long *tv, *tc;
- int pi;
switch (regs->r2) {
case FW_HYPERCALL_PAL_CALL:
@@ -87,6 +145,7 @@
VCPU(v,pending_interruption) = 1;
#endif
if (regs->r28 == PAL_HALT_LIGHT) {
+ int pi;
#define SPURIOUS_VECTOR 15
pi = vcpu_check_pending_interrupts(v);
if (pi != SPURIOUS_VECTOR) {
@@ -165,66 +224,50 @@
// FIXME: need fixes in efi.h from 2.6.9
regs->r8 = EFI_UNSUPPORTED;
break;
- case 0xffff:
- regs->r8 = dump_privop_counts_to_user(
- (char *) vcpu_get_gr(v,32),
- (int) vcpu_get_gr(v,33));
- break;
- case 0xfffe:
- regs->r8 = zero_privop_counts_to_user(
- (char *) vcpu_get_gr(v,32),
- (int) vcpu_get_gr(v,33));
- break;
- case __HYPERVISOR_dom0_op:
- regs->r8 = do_dom0_op(guest_handle_from_ptr(regs->r14,
- dom0_op_t));
- break;
-
- case __HYPERVISOR_memory_op:
- /* we don't handle reservations; just return success */
- {
- struct xen_memory_reservation reservation;
- void *arg = (void *) regs->r15;
-
- switch(regs->r14) {
- case XENMEM_increase_reservation:
- case XENMEM_decrease_reservation:
- if (copy_from_user(&reservation, arg,
- sizeof(reservation)))
- regs->r8 = -EFAULT;
- else
- regs->r8 = reservation.nr_extents;
- break;
- default:
- regs->r8 = do_memory_op((int) regs->r14,
guest_handle_from_ptr(regs->r15, void));
- break;
- }
- }
- break;
-
- case __HYPERVISOR_event_channel_op:
- regs->r8 = do_event_channel_op(guest_handle_from_ptr(regs->r14,
evtchn_op_t));
- break;
-
- case __HYPERVISOR_grant_table_op:
- regs->r8 = do_grant_table_op((unsigned int) regs->r14,
guest_handle_from_ptr(regs->r15, void), (unsigned int) regs->r16);
- break;
-
- case __HYPERVISOR_console_io:
- regs->r8 = do_console_io((int) regs->r14, (int) regs->r15,
guest_handle_from_ptr(regs->r16, char));
- break;
-
- case __HYPERVISOR_xen_version:
- regs->r8 = do_xen_version((int) regs->r14,
guest_handle_from_ptr(regs->r15, void));
- break;
-
- case __HYPERVISOR_multicall:
- regs->r8 = do_multicall(guest_handle_from_ptr(regs->r14,
multicall_entry_t), (unsigned int) regs->r15);
- break;
-
default:
- printf("unknown hypercall %lx\n", regs->r2);
+ printf("unknown ia64 fw hypercall %lx\n", regs->r2);
regs->r8 = do_ni_hypercall();
}
return 1;
}
+
+int
+ia64_hypercall (struct pt_regs *regs)
+{
+ struct vcpu *v = current;
+ unsigned long index = regs->r2;
+
+ if (index >= FW_HYPERCALL_FIRST_USER) {
+ switch (index) {
+ case 0xffff:
+ regs->r8 = dump_privop_counts_to_user(
+ (char *) vcpu_get_gr(v,32),
+ (int) vcpu_get_gr(v,33));
+ break;
+ case 0xfffe:
+ regs->r8 = zero_privop_counts_to_user(
+ (char *) vcpu_get_gr(v,32),
+ (int) vcpu_get_gr(v,33));
+ break;
+ default:
+ printf("unknown user xen/ia64 hypercall %lx\n", index);
+ regs->r8 = do_ni_hypercall();
+ }
+ return 1;
+ }
+ else if (index >= FW_HYPERCALL_FIRST_ARCH) {
+ int privlvl;
+
+ /* Firmware calls are only allowed in kernel. */
+ privlvl = (regs->cr_ipsr & IA64_PSR_CPL) >> IA64_PSR_CPL0_BIT;
+ if (privlvl != 2) {
+ /* FIXME: Return a better error value ?
+ Reflextion ? Illegal operation ? */
+ regs->r8 = -1;
+ return 1;
+ }
+ else
+ return fw_hypercall (regs);
+ } else
+ return xen_hypercall (regs);
+}
diff -r ccb437f2ed4e -r 1dc45879fa5c xen/include/asm-ia64/dom_fw.h
--- a/xen/include/asm-ia64/dom_fw.h Mon Mar 20 16:53:17 2006
+++ b/xen/include/asm-ia64/dom_fw.h Mon Mar 20 16:55:32 2006
@@ -119,6 +119,16 @@
#define FW_HYPERCALL_EFI_GET_NEXT_HIGH_MONO_COUNT_PADDR
FW_HYPERCALL_PADDR(FW_HYPERCALL_EFI_GET_NEXT_HIGH_MONO_COUNT_INDEX)
#define FW_HYPERCALL_EFI_RESET_SYSTEM_PADDR
FW_HYPERCALL_PADDR(FW_HYPERCALL_EFI_RESET_SYSTEM_INDEX)
+/* Hypercalls index bellow _FIRST_ARCH are reserved by Xen, while those above
+ are for the architecture.
+ Note: this limit was defined by Xen/ia64 (and not by Xen).²
+ This can be renumbered safely.
+*/
+#define FW_HYPERCALL_FIRST_ARCH 0x300UL
+
+/* Xen/ia64 user hypercalls. Only used for debugging. */
+#define FW_HYPERCALL_FIRST_USER 0xff00UL
+
extern struct ia64_pal_retval xen_pal_emulator(UINT64, u64, u64, u64);
extern struct sal_ret_values sal_emulator (long index, unsigned long in1,
unsigned long in2, unsigned long in3, unsigned long in4, unsigned long in5,
unsigned long in6, unsigned long in7);
extern struct ia64_pal_retval pal_emulator_static (unsigned long);
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |