[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging] xen/arm: Restrict the amount of memory that dom0less domU and dom0 can allocate

commit c08d68cd2aacbc7cb56e73ada241bfe4639bbc68
Author:     Julien Grall <jgrall@xxxxxxxxxx>
AuthorDate: Wed Aug 25 14:19:31 2021 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Wed Aug 25 14:19:31 2021 +0200

    xen/arm: Restrict the amount of memory that dom0less domU and dom0 can 
    Currently, both dom0less domUs and dom0 can allocate an "unlimited"
    amount of memory because d->max_pages is set to ~0U.
    In particular, the former are meant to be unprivileged. Therefore the
    memory they could allocate should be bounded. As the domain are not yet
    officially aware of Xen (we don't expose advertise it in the DT, yet
    the hypercalls are accessible), they should not need to allocate more
    than the initial amount. So cap set d->max_pages directly the amount of
    memory we are meant to allocate.
    Take the opportunity to also restrict the memory for dom0 as the
    domain is direct mapped (e.g. MFN == GFN) and therefore cannot
    allocate outside of the pre-allocated region.
    This is CVE-2021-28700 / XSA-383.
    Reported-by: Julien Grall <jgrall@xxxxxxxxxx>
    Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
    Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
    Tested-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
 xen/arch/arm/domain_build.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
index 6c86d52781..206038d1c0 100644
--- a/xen/arch/arm/domain_build.c
+++ b/xen/arch/arm/domain_build.c
@@ -2440,7 +2440,8 @@ static int __init construct_domU(struct domain *d,
     if ( vcpu_create(d, 0) == NULL )
         return -ENOMEM;
-    d->max_pages = ~0U;
+    d->max_pages = ((paddr_t)mem * SZ_1K) >> PAGE_SHIFT;
     kinfo.d = d;
@@ -2546,7 +2547,7 @@ static int __init construct_dom0(struct domain *d)
-    d->max_pages = ~0U;
+    d->max_pages = dom0_mem >> PAGE_SHIFT;
     kinfo.unassigned_mem = dom0_mem;
     kinfo.d = d;
generated by git-patchbot for /home/xen/git/xen.git#staging



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.