[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] x86/hvm: add stricter permissions checks to ioreq server control plane

commit 8df3821c08d024684a6c83659d8d794b565067f9
Author:     Paul Durrant <paul.durrant@xxxxxxxxxx>
AuthorDate: Tue Mar 20 18:05:25 2018 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Wed Mar 21 18:24:50 2018 +0000

    x86/hvm: add stricter permissions checks to ioreq server control plane
    
    There has always been an intention in the ioreq server API that only the
    domain that creates an ioreq server should be able to manipulate it.
    However, so far, nothing has enforced this. This means that two domains
    with DM_PRIV over a target domain can currently manipulate each others
    ioreq servers.
    
    A previous patch added code to take a reference and store a pointer to the
    domain that creates an ioreq server. This patch now adds checks to the
    functions that manipulate the ioreq server to make sure they are being
    called by the same domain.
    
    Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 xen/arch/x86/hvm/ioreq.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
index fecabb96a9..44d029499d 100644
--- a/xen/arch/x86/hvm/ioreq.c
+++ b/xen/arch/x86/hvm/ioreq.c
@@ -757,6 +757,10 @@ int hvm_destroy_ioreq_server(struct domain *d, ioservid_t 
id)
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         domain_pause(d);
 
         p2m_set_ioreq_server(d, 0, s);
@@ -801,6 +805,10 @@ int hvm_get_ioreq_server_info(struct domain *d, ioservid_t 
id,
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         *ioreq_gfn = s->ioreq.gfn;
 
         if ( s->bufioreq.va != NULL )
@@ -843,6 +851,10 @@ int hvm_map_io_range_to_ioreq_server(struct domain *d, 
ioservid_t id,
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         switch ( type )
         {
         case XEN_DMOP_IO_RANGE_PORT:
@@ -898,6 +910,10 @@ int hvm_unmap_io_range_from_ioreq_server(struct domain *d, 
ioservid_t id,
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         switch ( type )
         {
         case XEN_DMOP_IO_RANGE_PORT:
@@ -961,6 +977,10 @@ int hvm_map_mem_type_to_ioreq_server(struct domain *d, 
ioservid_t id,
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         rc = p2m_set_ioreq_server(d, flags, s);
         break;
     }
@@ -1000,6 +1020,10 @@ int hvm_set_ioreq_server_state(struct domain *d, 
ioservid_t id,
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         domain_pause(d);
 
         if ( enabled )
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.