[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.14] xen/arm: p2m: Prevent adding mapping when domain is dying



commit 7a7406ba1d8912719eb7c9eec2d7cd34f49dfac0
Author:     Julien Grall <jgrall@xxxxxxxxxx>
AuthorDate: Tue Oct 11 15:32:58 2022 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Oct 11 15:32:58 2022 +0200

    xen/arm: p2m: Prevent adding mapping when domain is dying
    
    During the domain destroy process, the domain will still be accessible
    until it is fully destroyed. So does the P2M because we don't bail
    out early if is_dying is non-zero. If a domain has permission to
    modify the other domain's P2M (i.e. dom0, or a stubdomain), then
    foreign mapping can be added past relinquish_p2m_mapping().
    
    Therefore, we need to prevent mapping to be added when the domain
    is dying. This commit prevents such adding of mapping by adding the
    d->is_dying check to p2m_set_entry(). Also this commit enhances the
    check in relinquish_p2m_mapping() to make sure that no mappings can
    be added in the P2M after the P2M lock is released.
    
    This is part of CVE-2022-33746 / XSA-410.
    
    Signed-off-by: Julien Grall <jgrall@xxxxxxxxxx>
    Signed-off-by: Henry Wang <Henry.Wang@xxxxxxx>
    Tested-by: Henry Wang <Henry.Wang@xxxxxxx>
    Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
    master commit: 3ebe773293e3b945460a3d6f54f3b91915397bab
    master date: 2022-10-11 14:20:18 +0200
---
 xen/arch/arm/p2m.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index 2290b7114f..35943589fc 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -1085,6 +1085,15 @@ int p2m_set_entry(struct p2m_domain *p2m,
 {
     int rc = 0;
 
+    /*
+     * Any reference taken by the P2M mappings (e.g. foreign mapping) will
+     * be dropped in relinquish_p2m_mapping(). As the P2M will still
+     * be accessible after, we need to prevent mapping to be added when the
+     * domain is dying.
+     */
+    if ( unlikely(p2m->domain->is_dying) )
+        return -ENOMEM;
+
     while ( nr )
     {
         unsigned long mask;
@@ -1579,6 +1588,8 @@ int relinquish_p2m_mapping(struct domain *d)
     unsigned int order;
     gfn_t start, end;
 
+    BUG_ON(!d->is_dying);
+    /* No mappings can be added in the P2M after the P2M lock is released. */
     p2m_write_lock(p2m);
 
     start = p2m->lowest_mapped_gfn;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.14



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.