[Xen-changelog] [xen-unstable] [XEN] Restrict access to grant-mapping operations.

[Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>]

# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID 781ea5017f18ca99709f70a7ac9c99c1dec4d162
# Parent  075f4ffdbbce5527ba525a515abe320703d17a0e
[XEN] Restrict access to grant-mapping operations.
TLB flushing is not done strictly before notifying
the mappee -- this creates scope for multi-processor
mapping guests to attempt to abuse a stale mapping
on another VCPU.
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
---
 xen/common/grant_table.c |   11 +++++++++++
 xen/include/xen/iocap.h  |    8 ++++++++
 2 files changed, 19 insertions(+)

diff -r 075f4ffdbbce -r 781ea5017f18 xen/common/grant_table.c
--- a/xen/common/grant_table.c  Fri Nov 17 10:34:08 2006 +0000
+++ b/xen/common/grant_table.c  Fri Nov 17 10:48:34 2006 +0000
@@ -24,6 +24,8 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
+#include <xen/config.h>
+#include <xen/iocap.h>
 #include <xen/lib.h>
 #include <xen/sched.h>
 #include <xen/shadow.h>
@@ -991,6 +993,9 @@ do_grant_table_op(
             guest_handle_cast(uop, gnttab_map_grant_ref_t);
         if ( unlikely(!guest_handle_okay(map, count)) )
             goto out;
+        rc = -EPERM;
+        if ( unlikely(!grant_flip_permitted(d)) )
+            goto out;
         rc = gnttab_map_grant_ref(map, count);
         break;
     }
@@ -1000,6 +1005,9 @@ do_grant_table_op(
             guest_handle_cast(uop, gnttab_unmap_grant_ref_t);
         if ( unlikely(!guest_handle_okay(unmap, count)) )
             goto out;
+        rc = -EPERM;
+        if ( unlikely(!grant_flip_permitted(d)) )
+            goto out;
         rc = gnttab_unmap_grant_ref(unmap, count);
         break;
     }
@@ -1014,6 +1022,9 @@ do_grant_table_op(
         XEN_GUEST_HANDLE(gnttab_transfer_t) transfer =
             guest_handle_cast(uop, gnttab_transfer_t);
         if ( unlikely(!guest_handle_okay(transfer, count)) )
+            goto out;
+        rc = -EPERM;
+        if ( unlikely(!grant_flip_permitted(d)) )
             goto out;
         rc = gnttab_transfer(transfer, count);
         break;
diff -r 075f4ffdbbce -r 781ea5017f18 xen/include/xen/iocap.h
--- a/xen/include/xen/iocap.h   Fri Nov 17 10:34:08 2006 +0000
+++ b/xen/include/xen/iocap.h   Fri Nov 17 10:48:34 2006 +0000
@@ -31,4 +31,12 @@
 #define multipage_allocation_permitted(d)               \
     (!rangeset_is_empty((d)->iomem_caps))
 
+/*
+ * Until TLB flushing issues are sorted out we consider it unsafe for
+ * domains with no hardware-access privileges to perform grant map/transfer
+ * operations.
+ */
+#define grant_operations_permitted(d)                   \
+    (!rangeset_is_empty((d)->iomem_caps))
+
 #endif /* __XEN_IOCAP_H__ */

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog