Xen project Mailing List

[PATCH] domain: Validate __copy_to_guest in VCPUOP_register_runstate_memory_area

From: Michal Orzel <michal.orzel@xxxxxxx>

Date: Tue, 26 Nov 2024 11:26:53 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=G9kBqC5zBD5gUs1hx/Z74wEDICt99TAu9t6elq2LBLU=; b=pbPHn2LsYZy+7PoyriNKorFi1aHDQplLYSe74C+MLLi+MRoFP1dWNa+Sa9ZGsQI6NIbsWG2sNAD2qd1aagdyQ2NDgmZqC4Z3vJYRRVx0sMzN17ubofzwWF+P7CJaw+aBlzknR3GqbAdbDruFPUKZS9J/zRv8+wwjBKAuuJ2uOrc52kOVoHcZmtlBQLSzA64vPLQwpi8mmB1mgI0vIsNpyQQEBDoONNKujYH3qJxTSHZpx+0J9V335GLvSFyka47qNKwBusWMdXwBFzkn1bK9kj1jLTtilb8/tMBftHOOSgZ/+aAv5WtDXMq5K+RuB+kbbLaukPmSNpv87+tC0t4gtg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=TdNy/4gSQxxS+iDPqT9iJOfPzsvXjj4ernPJ87Qo+4B4vKpmvjCou6Aa5qMDqfTryvqPZzSeo7KjkQGoNYYqWuMCVQxsQB7GRN2ITKjqTkiBw7x4ePFzy+NMMKZwXsMIpfMS3faPan/kUQhSMo1GoY/iLvBQiqpfG/XNLL9fTj1uQ3mIh4ZcUCmFrPYWyabyMoGth7MsyEecLLPB7W2GrZ2QhTPOwduTVNTWdMU7y9k/ea7b14B/tlNY3/W5zCnc07t2mvhvCYX12p3wxod5oQCXVn8EogWFz7wYvimhPgxi0Ped+V6oT8PjcbFEZDwAH+l3qnSBeJCYk4Kw0BxMvQ==

Cc: Michal Orzel <michal.orzel@xxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Tue, 26 Nov 2024 10:27:27 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

For guests with paging mode external, guest_handle_okay() always returns success, even if the guest handle is invalid (e.g. address not in P2M). In VCPUOP_register_runstate_memory_area, we would then blindly set runstate_guest() for a given vCPU to invalid handle. Moreover, we don't check the return value from __copy_to_guest() and return success to the guest, even in case of a failure during copy. Fix it, by checking the return value from __copy_to_guest() and set runstate_guest() only on success. Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx> --- I'm not sure what would be the appropriate commit for a Fixes tag. Arm port only moved this code to common in 8968bafa3170d46d21d8f6ee2d0856f270c864ad, so if at all, it would be: Fixes: 8968bafa3170 ("xen: move VCPUOP_register_runstate_memory_area to common code") --- xen/common/domain.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/xen/common/domain.c b/xen/common/domain.c index 92263a4fbdc5..3f6fb0798fa3 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -2046,19 +2046,21 @@ long common_vcpu_op(int cmd, struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg) if ( !guest_handle_okay(area.addr.h, 1) ) break; - rc = 0; - runstate_guest(v) = area.addr.h; - if ( v == current ) { - __copy_to_guest(runstate_guest(v), &v->runstate, 1); + if ( __copy_to_guest(area.addr.h, &v->runstate, 1) ) + break; } else { vcpu_runstate_get(v, &runstate); - __copy_to_guest(runstate_guest(v), &runstate, 1); + if ( __copy_to_guest(area.addr.h, &runstate, 1) ) + break; } + rc = 0; + runstate_guest(v) = area.addr.h; + break; } -- 2.25.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.