[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] xen/arm: domain_build: Check if the address fits the range of physical address



commit 133f6df947a20bb60f189f6b8d9872b53af6a1d9
Author:     Ayan Kumar Halder <ayan.kumar.halder@xxxxxxx>
AuthorDate: Thu May 18 15:39:14 2023 +0100
Commit:     Julien Grall <jgrall@xxxxxxxxxx>
CommitDate: Fri May 26 13:13:19 2023 +0100

    xen/arm: domain_build: Check if the address fits the range of physical 
address
    
    handle_pci_range() and map_range_to_domain() take addr and len as uint64_t
    parameters. Then frame numbers are obtained from addr and len by right 
shifting
    with PAGE_SHIFT. The frame numbers are expressed using unsigned long.
    
    Now if 64-bit >> PAGE_SHIFT, the result will have 52-bits as valid. On a 
32-bit
    system, 'unsigned long' is 32-bits. Thus, there is a potential loss of value
    when the result is stored as 'unsigned long'.
    
    To mitigate this issue, we check if the starting and end address can be
    contained within the range of physical address supported on the system. If 
not,
    then an appropriate error is returned.
    
    Signed-off-by: Ayan Kumar Halder <ayan.kumar.halder@xxxxxxx>
    Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
    Reviewed-by: Michal Orzel <michal.orzel@xxxxxxx>
---
 xen/arch/arm/domain_build.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
index 50b85ea783..cb23f531a8 100644
--- a/xen/arch/arm/domain_build.c
+++ b/xen/arch/arm/domain_build.c
@@ -1643,6 +1643,13 @@ static int __init handle_pci_range(const struct 
dt_device_node *dev,
     paddr_t start, end;
     int res;
 
+    if ( (addr != (paddr_t)addr) || (((paddr_t)~0 - addr) < len) )
+    {
+        printk(XENLOG_ERR "%s: [0x%"PRIx64", 0x%"PRIx64"] exceeds the maximum 
allowed PA width (%u bits)",
+               dt_node_full_name(dev), addr, (addr + len), PADDR_BITS);
+        return -ERANGE;
+    }
+
     start = addr & PAGE_MASK;
     end = PAGE_ALIGN(addr + len);
     res = rangeset_remove_range(mem_holes, PFN_DOWN(start), PFN_DOWN(end - 1));
@@ -2333,6 +2340,13 @@ int __init map_range_to_domain(const struct 
dt_device_node *dev,
     struct domain *d = mr_data->d;
     int res;
 
+    if ( (addr != (paddr_t)addr) || (((paddr_t)~0 - addr) < len) )
+    {
+        printk(XENLOG_ERR "%s: [0x%"PRIx64", 0x%"PRIx64"] exceeds the maximum 
allowed PA width (%u bits)",
+               dt_node_full_name(dev), addr, (addr + len), PADDR_BITS);
+        return -ERANGE;
+    }
+
     /*
      * reserved-memory regions are RAM carved out for a special purpose.
      * They are not MMIO and therefore a domain should not be able to
--
generated by git-patchbot for /home/xen/git/xen.git#master



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.