[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v6 11/11] xen, common: do not implicitly permit access to mapped I/O memory

>>> On 21.04.14 at 15:45, <avanzini.arianna@xxxxxxxxx> wrote:
>  tools/libxl/libxl_create.c | 17 +++++++++++++++++
>  tools/libxl/libxl_pci.c    | 24 ++++++++++++++++++------

I doubt that doing it at this layer is correct: There are quite a few uses
of xc_domain_memory_mapping() in qemu, so I think as a first step
you should retain libxc functionality unchanged by issuing both domctls
there. If that ever needs further separation, that would then be a
second patch.

> --- a/tools/libxl/libxl_create.c
> +++ b/tools/libxl/libxl_create.c
> @@ -1151,6 +1151,23 @@ static void domcreate_launch_dm(libxl__egc *egc, 
> libxl__multidev *multidev,
>              libxl__spawn_stub_dm(egc, &dcs->dmss);
>          else
>              libxl__spawn_local_dm(egc, &dcs->dmss.dm);
> +
> +        /*
> +         * If VGA passthru is enabled by domain config, be sure that the
> +         * domain can access VGA-related iomem regions.
> +         */
> +        if (d_config->b_info.u.hvm.gfx_passthru.val) {
> +            uint64_t vga_iomem_start = 0xa0000 >> XC_PAGE_SHIFT;
> +            ret = xc_domain_iomem_permission(CTX->xch, domid,
> +                                             vga_iomem_start, 0x20, 1);
> +            if (ret < 0) {
> +                LOGE(ERROR,
> +                     "failed to give dom%d access to iomem range "
> +                     "%"PRIx64"-%"PRIx64" for VGA passthru",
> +                     domid, vga_iomem_start, (vga_iomem_start + 0x20 - 1));
> +                goto error_out;
> +            }
> +        }

Considering that this code isn't being moved here - what's the
rationale for the sudden need to special case VGA pass-through
here?

> @@ -886,14 +889,14 @@ static int do_pci_add(libxl__gc *gc, uint32_t domid, 
> libxl_device_pci *pcidev, i
>                  continue;
>              size = end - start + 1;
>              if (start) {
> -                if (flags & PCI_BAR_IO) {
> +                if ((flags & PCI_BAR_IO) && !hvm) {
>                      rc = xc_domain_ioport_permission(ctx->xch, domid, start, 
> size, 1);

If this whole thing gets unified, treating I/O ports and MMIO differently
isn't an optimal choice.

> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -838,7 +838,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) 
> u_domctl)
>              return ret;
>  
>          ret = -EPERM;
> -        if ( !iomem_access_permitted(current->domain, mfn, mfn_end) )
> +        if ( !iomem_access_permitted(current->domain, mfn, mfn_end) ||
> +             !iomem_access_permitted(d, mfn, mfn_end) )

The former check should now be pointless here, and ought to be done
in the XEN_DOMCTL_iomem_permission handler instead (in fact it
should always have got done there, and that would be a security issue
if there wasn't the waiver put in place by XSA-77).

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.