|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging] Arm: foreign page handling in p2m_get_page_from_gfn()
commit c5a6dd68508c998c95ca87f59e9ecb6da93ca6ab
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Sep 9 14:12:13 2025 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 9 14:12:13 2025 +0200
Arm: foreign page handling in p2m_get_page_from_gfn()
I can't see what would make the 1st of the assertions safe: For example,
the P2M lock not being held, the foreign page may disappear before we
get to call page_get_owner_and_reference(), which hence may return NULL.
Even the 2nd, which appears to be safe safe, is lacking proper release
build fallbacks.
Drop the former in favor of an if(), and convert the latter to the
equivalent of what x86 uses: ASSERT_UNREACHABLE() plus putting of the
obtained page.
This is CVE-2025-58144 / part of XSA-473.
Fixes: 9486a8d07ba8 ("xen/arm: Handle remove foreign mapping")
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Julien Grall <jgrall@xxxxxxxxxx>
---
xen/arch/arm/p2m.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index ef8bd4b6ab..667ea595f4 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -74,10 +74,16 @@ struct page_info *p2m_get_page_from_gfn(struct domain *d,
gfn_t gfn,
*/
if ( p2m_is_foreign(p2mt) )
{
- struct domain *fdom = page_get_owner_and_reference(page);
- ASSERT(fdom != NULL);
- ASSERT(fdom != d);
- return page;
+ const struct domain *fdom = page_get_owner_and_reference(page);
+
+ if ( fdom )
+ {
+ if ( fdom != d )
+ return page;
+ ASSERT_UNREACHABLE();
+ put_page(page);
+ }
+ return NULL;
}
return get_page(page, d) ? page : NULL;
--
generated by git-patchbot for /home/xen/git/xen.git#staging
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |