[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] x86: constrain MFN range Dom0 may access

commit 53de839fb40936c074213a0c400e3c959e4ec461
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Jan 21 16:10:42 2016 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Jan 21 16:10:42 2016 +0100

    x86: constrain MFN range Dom0 may access
    
    ... to that covered by the physical address width supported by the
    processor. This implicitly avoids Dom0 (accidentally or due to some
    kind of abuse) passing out of range addresses to a guest, which in
    turn eliminates this only possibility for PV guests to create PTEs
    with one or more reserved bits set.
    
    Note that this is not a security issue due to XSA-77.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/domain_build.c |    2 +-
 xen/arch/x86/mm.c           |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/xen/arch/x86/domain_build.c b/xen/arch/x86/domain_build.c
index d02dc4b..cb287f0 100644
--- a/xen/arch/x86/domain_build.c
+++ b/xen/arch/x86/domain_build.c
@@ -1533,7 +1533,7 @@ int __init construct_dom0(
 
     /* The hardware domain is initially permitted full I/O capabilities. */
     rc |= ioports_permit_access(d, 0, 0xFFFF);
-    rc |= iomem_permit_access(d, 0UL, ~0UL);
+    rc |= iomem_permit_access(d, 0UL, (1UL << (paddr_bits - PAGE_SHIFT)) - 1);
     rc |= irqs_permit_access(d, 1, nr_irqs_gsi - 1);
 
     /*
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index fcf6577..83f82b8 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -4604,7 +4604,7 @@ struct memory_map_context
 static int _handle_iomem_range(unsigned long s, unsigned long e,
                                struct memory_map_context *ctxt)
 {
-    if ( s > ctxt->s )
+    if ( s > ctxt->s && !(s >> (paddr_bits - PAGE_SHIFT)) )
     {
         e820entry_t ent;
         XEN_GUEST_HANDLE_PARAM(e820entry_t) buffer_param;
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.