[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [linux-2.6.18-xen] [IA64] Fix vulnerability of privcmd_mmap

# HG changeset patch
# User Alex Williamson <alex.williamson@xxxxxx>
# Date 1203694570 25200
# Node ID 99478ffd81ee8685e6376210a1bd654c3790bf8d
# Parent  4b9f2293d7507bab5cd6952c2c97e7b3d057641a
[IA64] Fix vulnerability of privcmd_mmap

empty_zero_page can be polluted by writing to a page through
privcmd_mmap().  i.e. a user program can hang a privileged
domain (dom0), although root privilege is required.

Resetting the VM_PFNMAP flag is a little bit kludgy, but
fixes the issue.

After this patch is applied, other patches to Qemu become
necessary to create a HVM domain.

Signed-off-by: Kouya Shimura <kouya@xxxxxxxxxxxxxx>
---
 arch/ia64/xen/hypervisor.c |   21 ++++++++++++++++++---
 1 files changed, 18 insertions(+), 3 deletions(-)

diff -r 4b9f2293d750 -r 99478ffd81ee arch/ia64/xen/hypervisor.c
--- a/arch/ia64/xen/hypervisor.c        Fri Feb 22 10:06:03 2008 +0000
+++ b/arch/ia64/xen/hypervisor.c        Fri Feb 22 08:36:10 2008 -0700
@@ -653,6 +653,12 @@ xen_ia64_privcmd_entry_mmap(struct vm_ar
 
        prot = vma->vm_page_prot;
        error = remap_pfn_range(vma, addr, gpfn, 1 << PAGE_SHIFT, prot);
+       /*
+        * VM_PFNMAP is set in remap_pfn_range().
+        * Reset the flag to avoid BUG_ON() in do_no_page().
+        */
+       vma->vm_flags &= ~VM_PFNMAP;
+
        if (error != 0) {
                error = HYPERVISOR_zap_physmap(gpfn, 0);
                if (error)
@@ -706,9 +712,18 @@ static void xen_ia64_privcmd_vma_open(st
 static void xen_ia64_privcmd_vma_open(struct vm_area_struct *vma);
 static void xen_ia64_privcmd_vma_close(struct vm_area_struct *vma);
 
+static struct page *
+xen_ia64_privcmd_vma_nopage(struct vm_area_struct *vma,
+                           unsigned long address,
+                           int *type)
+{
+       return NOPAGE_SIGBUS;
+}
+
 struct vm_operations_struct xen_ia64_privcmd_vm_ops = {
-       .open = &xen_ia64_privcmd_vma_open,
-       .close = &xen_ia64_privcmd_vma_close,
+       .open = xen_ia64_privcmd_vma_open,
+       .close = xen_ia64_privcmd_vma_close,
+       .nopage = xen_ia64_privcmd_vma_nopage
 };
 
 static void
@@ -832,7 +847,7 @@ privcmd_mmap(struct file * file, struct 
        privcmd_range->res = res;
 
        /* DONTCOPY is essential for Xen as copy_page_range is broken. */
-       vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY | VM_PFNMAP;
+       vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY;
 
        atomic_set(&privcmd_range->ref_count, 1);
        privcmd_range->pgoff = vma->vm_pgoff;

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.