[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 9/9] gnttab: don't silently truncate GFNs in compat setup-table handling

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 26 Aug 2021 12:15:10 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e6HedQ272Hp//43TliKGHrhoJiCNzxfthP7GUPhT9cI=; b=lE3XO7F1fhUqoqh+3Y2exirEf7TBwopQeW9D5Uozc9psnj6C+FkgjoNwBMKoS2H09Vzy3svN8UD5c3pGSBPBoIB4Rj51HDOF8jtXGm6EHngv97z9KoSJa0EFDtJsB2ZHTKklLrnGYsGeDG9s0nI+ZQI5UJT4LZYaazA2SF7Z7cbcwr+QMcAPmgxr/z389LSfCAZ0yrwdhtV9wWzvFBGR0mKk/Ge3oaeqsmtnsTokntJp5eKSDxD2dI+gd7y2GKUlyAnLo++1JT/aTZFcvUuR39JAtSwUh55OXsG7NiAOavc+4EecD5DVXdKZAIp/tl6sZ3e+m2AqUdSVyLfRt9hQyA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BSvH8K7oUPfe1XTevN+tJ9r4CogZ2pTHeJgVGZqy9Xr8XWcJUDZZa8MFtRL8IcGDFYVJiWk01tZKMJ8FpsLpK4c4Cr1CBpyn5tZfb3fg4kYcUyfA8qlF6rJ9Ied6UgUXpo1LMDLAf9w76ZQGTwygfzfth3n5b+E0C4AeQ6UWqftgLuHIFis8Hs4VyGtUG2neuDy6AGD1SUe3/BM3k/Aqf4XcdxF/dc59GfB4bGh0MFI/b+ACqvpJTHwxKzLe3yY2HLOBN+RviYxnWCmNLg8hpNjJwDZdAb6kpqokTdnoOY6g8sHTjZV2KhYiypnJ+SqEnDTvIOw1Oq/knIWkbWZZqA==
  • Authentication-results: xen.org; dkim=none (message not signed) header.d=none;xen.org; dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Ian Jackson <iwj@xxxxxxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Thu, 26 Aug 2021 10:15:19 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Returning back truncated frame numbers is unhelpful: Quite likely
they're not owned by the domain (if it's PV), or we may misguide the
guest into writing grant entries into a page that it actually uses for
other purposes.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
RFC: Arguably in the 32-bit PV case it may be necessary to instead put
     in place an explicit address restriction when allocating
     ->shared_raw[N]. This is currently implicit by alloc_xenheap_page()
     only returning memory covered by the direct-map.

--- a/xen/common/compat/grant_table.c
+++ b/xen/common/compat/grant_table.c
@@ -175,8 +175,15 @@ int compat_grant_table_op(unsigned int c
                                  i < (_s_)->nr_frames; ++i ) \
                     { \
                         compat_pfn_t frame = (_s_)->frame_list.p[i]; \
-                        if ( __copy_to_compat_offset((_d_)->frame_list, \
-                                                     i, &frame, 1) ) \
+                        if ( frame != (_s_)->frame_list.p[i] ) \
+                        { \
+                            if ( VALID_M2P((_s_)->frame_list.p[i]) ) \
+                                (_s_)->status = GNTST_address_too_big; \
+                            else \
+                                frame |= 0x80000000U;\
+                        } \
+                        else if ( __copy_to_compat_offset((_d_)->frame_list, \
+                                                          i, &frame, 1) ) \
                             (_s_)->status = GNTST_bad_virt_addr; \
                     } \
                 } while (0)

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.