[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2 08/13] x86: add iommu_op to query reserved ranges

> -----Original Message-----
> From: George Dunlap [mailto:george.dunlap@xxxxxxxxxx]
> Sent: 11 July 2018 11:34
> To: Paul Durrant <Paul.Durrant@xxxxxxxxxx>; xen-devel@xxxxxxxxxxxxxxxxxxxx
> Cc: Jan Beulich <jbeulich@xxxxxxxx>; Andrew Cooper
> <Andrew.Cooper3@xxxxxxxxxx>; George Dunlap
> <George.Dunlap@xxxxxxxxxx>; Ian Jackson <Ian.Jackson@xxxxxxxxxx>; Konrad
> Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>; Stefano Stabellini
> <sstabellini@xxxxxxxxxx>; Tim (Xen.org) <tim@xxxxxxx>; Wei Liu
> <wei.liu2@xxxxxxxxxx>
> Subject: Re: [PATCH v2 08/13] x86: add iommu_op to query reserved ranges
> 
> On 07/07/2018 12:05 PM, Paul Durrant wrote:
> > @@ -35,17 +93,33 @@ static void iommu_op(xen_iommu_op_t *op)
> >
> >  int do_one_iommu_op(xen_iommu_op_buf_t *buf)
> >  {
> > -    xen_iommu_op_t op;
> > +    xen_iommu_op_t op = {};
> > +    size_t offset;
> > +    static const size_t op_size[] = {
> > +        [XEN_IOMMUOP_query_reserved] = sizeof(struct
> xen_iommu_op_query_reserved),
> > +    };
> > +
> > +    offset = offsetof(struct xen_iommu_op, u);
> >
> > -    if ( buf->size < sizeof(op) )
> > +    if ( buf->size < offset )
> >          return -EFAULT;
> >
> > -    if ( copy_from_guest((void *)&op, buf->h, sizeof(op)) )
> > +    if ( copy_from_guest((void *)&op, buf->h, offset) )
> >          return -EFAULT;
> >
> >      if ( op.pad )
> >          return -EINVAL;
> >
> > +    if ( op.op >= ARRAY_SIZE(op_size) )
> > +        return -EOPNOTSUPP;
> > +
> > +    if ( buf->size < offset + op_size[op.op] )
> > +        return -EFAULT;
> > +
> > +    if ( copy_from_guest_offset((void *)&op.u, buf->h, offset,
> > +                                op_size[op.op]) )
> > +        return -EFAULT;
> 
> This looks like part of a potential SP1 gadget, so this needs to use
> array_index_nospec().
> 

Ok. There is similar code in dm ops too so I'll have a look while I'm at it.

  Paul

>  -George
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.