[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-4.2-testing] x86: check remote MMIO remap permissions


  • To: xen-changelog@xxxxxxxxxxxxxxxxxxx
  • From: Xen patchbot-4.2-testing <patchbot@xxxxxxx>
  • Date: Fri, 05 Oct 2012 00:55:13 +0000
  • Delivery-date: Fri, 05 Oct 2012 00:55:25 +0000
  • List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

# HG changeset patch
# User Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
# Date 1349338435 -7200
# Node ID b4bda6995bc16dfa40188b50c6d9a20392175cf7
# Parent  b0aed9cadf103ac44d82f46eacd8b056c604fbc0
x86: check remote MMIO remap permissions

When a domain is mapping pages from a different pg_owner domain, the
iomem_access checks are currently only applied to the pg_owner domain,
potentially allowing a domain with a more restrictive iomem_access
policy to have the pages mapped into its page tables. To catch this,
also check the owner of the page tables. The current domain does not
need to be checked because the ability to manipulate a domain's page
tables implies full access to the target domain, so checking that
domain's permission is sufficient.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Acked-by: Jan Beulich <jbeulich@xxxxxxxx>
xen-unstable changeset: 25952:8278d7d8fa48
xen-unstable date: Wed Sep 26 09:56:07 UTC 2012
---


diff -r b0aed9cadf10 -r b4bda6995bc1 xen/arch/x86/mm.c
--- a/xen/arch/x86/mm.c Thu Oct 04 10:12:43 2012 +0200
+++ b/xen/arch/x86/mm.c Thu Oct 04 10:13:55 2012 +0200
@@ -866,6 +866,19 @@ get_page_from_l1e(
             return -EINVAL;
         }
 
+        if ( pg_owner != l1e_owner &&
+             !iomem_access_permitted(l1e_owner, mfn, mfn) )
+        {
+            if ( mfn != (PADDR_MASK >> PAGE_SHIFT) ) /* INVALID_MFN? */
+            {
+                MEM_LOG("Dom%u attempted to map I/O space %08lx in dom%u to 
dom%u",
+                        curr->domain->domain_id, mfn, pg_owner->domain_id,
+                        l1e_owner->domain_id);
+                return -EPERM;
+            }
+            return -EINVAL;
+        }
+
         if ( !(l1f & _PAGE_RW) ||
              !rangeset_contains_singleton(mmio_ro_ranges, mfn) )
             return 0;

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.