# HG changeset patch
# User Alex Williamson <alex.williamson@xxxxxx>
# Date 1203694570 25200
# Node ID 99478ffd81ee8685e6376210a1bd654c3790bf8d
# Parent 4b9f2293d7507bab5cd6952c2c97e7b3d057641a
[IA64] Fix vulnerability of privcmd_mmap
empty_zero_page can be polluted by writing to a page through
privcmd_mmap(). i.e. a user program can hang a privileged
domain (dom0), although root privilege is required.
Resetting the VM_PFNMAP flag is a little bit kludgy, but
fixes the issue.
After this patch is applied, other patches to Qemu become
necessary to create a HVM domain.
Signed-off-by: Kouya Shimura <kouya@xxxxxxxxxxxxxx>
---
arch/ia64/xen/hypervisor.c | 21 ++++++++++++++++++---
1 files changed, 18 insertions(+), 3 deletions(-)
diff -r 4b9f2293d750 -r 99478ffd81ee arch/ia64/xen/hypervisor.c
--- a/arch/ia64/xen/hypervisor.c Fri Feb 22 10:06:03 2008 +0000
+++ b/arch/ia64/xen/hypervisor.c Fri Feb 22 08:36:10 2008 -0700
@@ -653,6 +653,12 @@ xen_ia64_privcmd_entry_mmap(struct vm_ar
prot = vma->vm_page_prot;
error = remap_pfn_range(vma, addr, gpfn, 1 << PAGE_SHIFT, prot);
+ /*
+ * VM_PFNMAP is set in remap_pfn_range().
+ * Reset the flag to avoid BUG_ON() in do_no_page().
+ */
+ vma->vm_flags &= ~VM_PFNMAP;
+
if (error != 0) {
error = HYPERVISOR_zap_physmap(gpfn, 0);
if (error)
@@ -706,9 +712,18 @@ static void xen_ia64_privcmd_vma_open(st
static void xen_ia64_privcmd_vma_open(struct vm_area_struct *vma);
static void xen_ia64_privcmd_vma_close(struct vm_area_struct *vma);
+static struct page *
+xen_ia64_privcmd_vma_nopage(struct vm_area_struct *vma,
+ unsigned long address,
+ int *type)
+{
+ return NOPAGE_SIGBUS;
+}
+
struct vm_operations_struct xen_ia64_privcmd_vm_ops = {
- .open = &xen_ia64_privcmd_vma_open,
- .close = &xen_ia64_privcmd_vma_close,
+ .open = xen_ia64_privcmd_vma_open,
+ .close = xen_ia64_privcmd_vma_close,
+ .nopage = xen_ia64_privcmd_vma_nopage
};
static void
@@ -832,7 +847,7 @@ privcmd_mmap(struct file * file, struct
privcmd_range->res = res;
/* DONTCOPY is essential for Xen as copy_page_range is broken. */
- vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY | VM_PFNMAP;
+ vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY;
atomic_set(&privcmd_range->ref_count, 1);
privcmd_range->pgoff = vma->vm_pgoff;
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
Home