xen/25952-x86-MMIO-remap-permissions.patch

# HG changeset patch
# User Daniel De Graaf <dgdegra@tycho.nsa.gov>
# Date 1348653367 -7200
# Node ID 8278d7d8fa485996f51134c5265fceaf239adf6a
# Parent  b83f414ccf7a6e4e077a10bc422cf3f6c7d30566
x86: check remote MMIO remap permissions

When a domain is mapping pages from a different pg_owner domain, the
iomem_access checks are currently only applied to the pg_owner domain,
potentially allowing a domain with a more restrictive iomem_access
policy to have the pages mapped into its page tables. To catch this,
also check the owner of the page tables. The current domain does not
need to be checked because the ability to manipulate a domain's page
tables implies full access to the target domain, so checking that
domain's permission is sufficient.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -870,6 +870,19 @@ get_page_from_l1e(
             return -EINVAL;
         }
 
+        if ( pg_owner != l1e_owner &&
+             !iomem_access_permitted(l1e_owner, mfn, mfn) )
+        {
+            if ( mfn != (PADDR_MASK >> PAGE_SHIFT) ) /* INVALID_MFN? */
+            {
+                MEM_LOG("Dom%u attempted to map I/O space %08lx in dom%u to dom%u",
+                        curr->domain->domain_id, mfn, pg_owner->domain_id,
+                        l1e_owner->domain_id);
+                return -EPERM;
+            }
+            return -EINVAL;
+        }
+
         if ( !(l1f & _PAGE_RW) ||
              !rangeset_contains_singleton(mmio_ro_ranges, mfn) )
             return 0;
- Upstream patches from Jan 25927-x86-domctl-ioport-mapping-range.patch 25929-tmem-restore-pool-version.patch 25931-x86-domctl-iomem-mapping-checks.patch 25940-x86-S3-flush-cache.patch 25952-x86-MMIO-remap-permissions.patch 25961-x86-HPET-interrupts.patch 25962-x86-assign-irq-vector-old.patch 25965-x86-ucode-Intel-resume.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=205 2012-10-03 00:08:01 +02:00			`# HG changeset patch`
			`# User Daniel De Graaf <dgdegra@tycho.nsa.gov>`
			`# Date 1348653367 -7200`
			`# Node ID 8278d7d8fa485996f51134c5265fceaf239adf6a`
			`# Parent b83f414ccf7a6e4e077a10bc422cf3f6c7d30566`
			`x86: check remote MMIO remap permissions`

			`When a domain is mapping pages from a different pg_owner domain, the`
			`iomem_access checks are currently only applied to the pg_owner domain,`
			`potentially allowing a domain with a more restrictive iomem_access`
			`policy to have the pages mapped into its page tables. To catch this,`
			`also check the owner of the page tables. The current domain does not`
			`need to be checked because the ability to manipulate a domain's page`
			`tables implies full access to the target domain, so checking that`
			`domain's permission is sufficient.`

			`Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>`
			`Committed-by: Jan Beulich <jbeulich@suse.com>`

			`--- a/xen/arch/x86/mm.c`
			`+++ b/xen/arch/x86/mm.c`
			`@@ -870,6 +870,19 @@ get_page_from_l1e(`
			`return -EINVAL;`
			`}`

			`+ if ( pg_owner != l1e_owner &&`
			`+ !iomem_access_permitted(l1e_owner, mfn, mfn) )`
			`+ {`
			`+ if ( mfn != (PADDR_MASK >> PAGE_SHIFT) ) /* INVALID_MFN? */`
			`+ {`
			`+ MEM_LOG("Dom%u attempted to map I/O space %08lx in dom%u to dom%u",`
			`+ curr->domain->domain_id, mfn, pg_owner->domain_id,`
			`+ l1e_owner->domain_id);`
			`+ return -EPERM;`
			`+ }`
			`+ return -EINVAL;`
			`+ }`
			`+`
			`if ( !(l1f & _PAGE_RW) \|\|`
			`!rangeset_contains_singleton(mmio_ro_ranges, mfn) )`
			`return 0;`