[Xen-devel] [PATCH v3] arch/x86: check remote MMIO remap permissions

[Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>]

Patch was 19/23 in the XSM IS_PRIV series, but as Jan pointed out, it
can be applied separately from the other patches.

---->8---------------------------------------------------------------

When a domain is mapping pages from a different pg_owner domain, the
iomem_access checks are currently only applied to the pg_owner domain,
potentially allowing a domain with a more restrictive iomem_access
policy to have the pages mapped into its page tables. To catch this,
also check the owner of the page tables. The current domain does not
need to be checked because the ability to manipulate a domain's page
tables implies full access to the target domain, so checking that
domain's permission is sufficient.

Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
Acked-by: Jan Beulich <jbeulich@xxxxxxxx>
Cc: Keir Fraser <keir@xxxxxxx>
Cc: Tim Deegan <tim@xxxxxxx>
---
 xen/arch/x86/mm.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index a962369..ff64413 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -754,6 +754,19 @@ get_page_from_l1e(
             return -EINVAL;
         }
 
+        if ( pg_owner != l1e_owner &&
+             !iomem_access_permitted(l1e_owner, mfn, mfn) )
+        {
+            if ( mfn != (PADDR_MASK >> PAGE_SHIFT) ) /* INVALID_MFN? */
+            {
+                MEM_LOG("Dom%u attempted to map I/O space %08lx in dom%u to 
dom%u",
+                        curr->domain->domain_id, mfn, pg_owner->domain_id,
+                        l1e_owner->domain_id);
+                return -EPERM;
+            }
+            return -EINVAL;
+        }
+
         if ( !(l1f & _PAGE_RW) ||
              !rangeset_contains_singleton(mmio_ro_ranges, mfn) )
             return 0;
-- 
1.7.11.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel