[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] [XEN] Add a missing access check to __gnttab_copy.

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Aug 2006 10:00:35 +0000
Delivery-date: Mon, 14 Aug 2006 03:03:34 -0700
List-id: BK change log <xen-changelog.lists.xensource.com>

# HG changeset patch
# User ssmith@xxxxxxxxxxxxxxxxxxxxxxxxxx
# Node ID c0a3f670d0d6b68293ad8f48b768eebcac1bd017
# Parent  d4c9a653907ba8d9ef0fa6d4fdf741025c60491a
[XEN] Add a missing access check to __gnttab_copy.

Signed-off-by: Steven Smith <sos22@xxxxxxxxx>
---
 xen/common/grant_table.c |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff -r d4c9a653907b -r c0a3f670d0d6 xen/common/grant_table.c
--- a/xen/common/grant_table.c  Sun Aug 13 19:10:57 2006 +0100
+++ b/xen/common/grant_table.c  Mon Aug 14 10:45:45 2006 +0100
@@ -822,11 +822,20 @@ __gnttab_copy(
     char *sp, *dp;
     s16 rc = GNTST_okay;
     int have_d_grant = 0, have_s_grant = 0;
+    int src_is_gref, dest_is_gref;
 
     if ( ((op->source.offset + op->len) > PAGE_SIZE) ||
          ((op->dest.offset + op->len) > PAGE_SIZE) )
         PIN_FAIL(error_out, GNTST_bad_copy_arg, "copy beyond page area.\n");
 
+    src_is_gref = op->flags & GNTCOPY_source_gref;
+    dest_is_gref = op->flags & GNTCOPY_dest_gref;
+
+    if ( (op->source.domid != DOMID_SELF && !src_is_gref ) ||
+         (op->dest.domid   != DOMID_SELF && !dest_is_gref)   )
+        PIN_FAIL(error_out, GNTST_permission_denied,
+                 "only allow copy-by-mfn for DOMID_SELF.\n");
+
     if ( op->source.domid == DOMID_SELF )
     {
         sd = current->domain;
@@ -849,7 +858,7 @@ __gnttab_copy(
                  "couldn't find %d\n", op->dest.domid);
     }
 
-    if ( op->flags & GNTCOPY_source_gref )
+    if ( src_is_gref )
     {
         rc = __acquire_grant_for_copy(sd, op->source.u.ref, 1, &s_frame);
         if ( rc != GNTST_okay )
@@ -864,7 +873,7 @@ __gnttab_copy(
         PIN_FAIL(error_out, GNTST_general_error,
                  "could not get source frame %lx.\n", s_frame);
 
-    if ( op->flags & GNTCOPY_dest_gref )
+    if ( dest_is_gref )
     {
         rc = __acquire_grant_for_copy(dd, op->dest.u.ref, 0, &d_frame);
         if ( rc != GNTST_okay )

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

Prev by Date: [Xen-changelog] [xen-unstable] [XEN] Explicitly include domain_page.h for map_domain_page() and fix a
Next by Date: [Xen-changelog] [xen-unstable] [XEN] Add some missing put_page()s to __gnttab_copy.
Previous by thread: [Xen-changelog] [xen-unstable] [XEN] Explicitly include domain_page.h for map_domain_page() and fix a
Next by thread: [Xen-changelog] [xen-unstable] [XEN] Add some missing put_page()s to __gnttab_copy.
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.