08af757235
25927-x86-domctl-ioport-mapping-range.patch 25929-tmem-restore-pool-version.patch 25931-x86-domctl-iomem-mapping-checks.patch 25940-x86-S3-flush-cache.patch 25952-x86-MMIO-remap-permissions.patch 25961-x86-HPET-interrupts.patch 25962-x86-assign-irq-vector-old.patch 25965-x86-ucode-Intel-resume.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=205
42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
# HG changeset patch
|
|
# User Daniel De Graaf <dgdegra@tycho.nsa.gov>
|
|
# Date 1348653367 -7200
|
|
# Node ID 8278d7d8fa485996f51134c5265fceaf239adf6a
|
|
# Parent b83f414ccf7a6e4e077a10bc422cf3f6c7d30566
|
|
x86: check remote MMIO remap permissions
|
|
|
|
When a domain is mapping pages from a different pg_owner domain, the
|
|
iomem_access checks are currently only applied to the pg_owner domain,
|
|
potentially allowing a domain with a more restrictive iomem_access
|
|
policy to have the pages mapped into its page tables. To catch this,
|
|
also check the owner of the page tables. The current domain does not
|
|
need to be checked because the ability to manipulate a domain's page
|
|
tables implies full access to the target domain, so checking that
|
|
domain's permission is sufficient.
|
|
|
|
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
|
|
Committed-by: Jan Beulich <jbeulich@suse.com>
|
|
|
|
--- a/xen/arch/x86/mm.c
|
|
+++ b/xen/arch/x86/mm.c
|
|
@@ -870,6 +870,19 @@ get_page_from_l1e(
|
|
return -EINVAL;
|
|
}
|
|
|
|
+ if ( pg_owner != l1e_owner &&
|
|
+ !iomem_access_permitted(l1e_owner, mfn, mfn) )
|
|
+ {
|
|
+ if ( mfn != (PADDR_MASK >> PAGE_SHIFT) ) /* INVALID_MFN? */
|
|
+ {
|
|
+ MEM_LOG("Dom%u attempted to map I/O space %08lx in dom%u to dom%u",
|
|
+ curr->domain->domain_id, mfn, pg_owner->domain_id,
|
|
+ l1e_owner->domain_id);
|
|
+ return -EPERM;
|
|
+ }
|
|
+ return -EINVAL;
|
|
+ }
|
|
+
|
|
if ( !(l1f & _PAGE_RW) ||
|
|
!rangeset_contains_singleton(mmio_ro_ranges, mfn) )
|
|
return 0;
|