[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 4/4] xen/arm: Correct the p2m pool size calculations

  • To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Wed, 26 Oct 2022 11:20:18 +0100
  • Authentication-results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Xen Security Team <security@xxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, "Bertrand Marquis" <bertrand.marquis@xxxxxxx>, Henry Wang <Henry.Wang@xxxxxxx>, "Anthony PERARD" <anthony.perard@xxxxxxxxxx>
  • Delivery-date: Wed, 26 Oct 2022 10:20:57 +0000
  • Ironport-data: A9a23:3OoMwa0wGqWOlsj0/vbD5UNxkn2cJEfYwER7XKvMYLTBsI5bpzcGy WUeXmiPO6mCYGXwc91yaoS3/UJS75KGx9FjSQRtpC1hF35El5HIVI+TRqvS04F+DeWYFR46s J9OAjXkBJppJpMJjk71atANlVEliefSAOKU5NfsYkhZXRVjRDoqlSVtkus4hp8AqdWiCkaGt MiaT/f3YTdJ4BYpdDNJg06/gEk35q6r4GlG5gVWic1j5zcyqVFEVPrzGonpR5fIatE8NvK3Q e/F0Ia48gvxl/v6Ior4+lpTWhRiro/6ZWBiuFIPM0SRqkEqShgJ+rQ6LJIhhXJ/0F1lqTzTJ OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXWV+ACQqflO1q8iCAn3aMqUVyr1tOToQz 8caOSEvTUyEuN3v5LCkH7wEasQLdKEHPasas3BkizrYEewnUdbIRKCiCd1whWlqwJoURLCHO pRfOWEHgBfoOnWjPn8+Dp4kkfjurX74azBC83qepLYt4niVxwt0uFToGIqOI4DbG5oO9qqej lmd8VjUHBQ2CMeWkQu+1k/2usCSlzyuDer+E5Xnr6U30TV/3Fc7NhoSUleqpOijvWS3UdlfN k889zInqO4580nDZtvgWxy1plaUsxhaXMBfe8Ua5QeX2+zr6gCWLmEeS3hKb9lOnMU7XyAw3 1mF2dbgHyVysaa9QGiYsLyTqFuaIjMJJGUPYSsFSwot4NT5pow3yBXVQb5LC6O+k8f0BSDY0 z2M6i8kiN07ncMNkqm2413DqzatvYTSCB444B3NWWCo5R8/Y5SqD6S37XDL4PAGK5yWJnGjl nUZn8mV7MgVEIqA0ieKRY0w8KqBvqjfdmeG2Bg2Qsdnp2/FF2OfkZ547QElPn8ybPw/ey74Q myPvjxuvbtRIy7/BUNoWL6ZB8MvxKnmMN3qUPHIc9ZDCqRMmB+7EDJGPhDJgT20+KQ4ueRmY MrAL57wZZoPIf4/pAdaUdvxxlPCKsoW4WrIDa72wB28uVZ1TC7EEOxVWLdigw1Q0U9lnOk32 4wBXydp408FOAEbXsUw2ddKRW3m1VBhWfjLRzV/L4Zv2DZOFmA7EOP2yrg8YYFjlKk9vr6Wo C/iABUJkQOl3SCvxeC2hpdLMe2HYHqChShjYXxE0aiAhxDPnrpDHI9ALsBqLNHLBcRozOJuT ultRilzKq0nd9gzwBxENcOVhNU7LHyD3FveVxdJlRBiJvaMsSSSoYS6FuYunQFTZheKWTwW+ eb5h16FHMdSL+mgZe6PAM+SI5qKlSB1sIpPs4HgebG/pG2EHFBWFhHM
  • Ironport-hdrordr: A9a23:V8FBpqGjbxka7YOKpLqE7seALOsnbusQ8zAXP0AYc3Nom6uj5q aTdZUgpHjJYVkqOU3I9ersBEDEewK/yXcX2/h0AV7BZmnbUQKTRekIh7cKgQeQfhEWntQtrJ uIGJIRNDSfNzRHZL7BkWqFL+o=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Allocating or freeing p2m pages doesn't alter the size of the mempool; only
the split between free and used pages.

Right now, the hypercalls operate on the free subset of the pool, meaning that
XEN_DOMCTL_get_p2m_mempool_size varies with time as the guest shuffles its
physmap, and XEN_DOMCTL_set_p2m_mempool_size ignores the used subset of the
pool and lets the guest grow unbounded.

This fixes test-p2m-pool on ARM so that the behaviour matches x86.

This is part of XSA-409 / CVE-2022-33747.

Fixes: cbea5a1149ca ("xen/arm: Allocate and free P2M pages from the P2M pool")
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Xen Security Team <security@xxxxxxx>
CC: Jan Beulich <JBeulich@xxxxxxxx>
CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
CC: Wei Liu <wl@xxxxxxx>
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: Julien Grall <julien@xxxxxxx>
CC: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
CC: Bertrand Marquis <bertrand.marquis@xxxxxxx>
CC: Henry Wang <Henry.Wang@xxxxxxx>
CC: Anthony PERARD <anthony.perard@xxxxxxxxxx>
---
 xen/arch/arm/p2m.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c
index 92b678cf0d09..dd9696c48312 100644
--- a/xen/arch/arm/p2m.c
+++ b/xen/arch/arm/p2m.c
@@ -72,7 +72,6 @@ static struct page_info *p2m_alloc_page(struct domain *d)
             spin_unlock(&d->arch.paging.lock);
             return NULL;
         }
-        d->arch.paging.p2m_total_pages--;
     }
     spin_unlock(&d->arch.paging.lock);
 
@@ -85,10 +84,7 @@ static void p2m_free_page(struct domain *d, struct page_info 
*pg)
     if ( is_hardware_domain(d) )
         free_domheap_page(pg);
     else
-    {
-        d->arch.paging.p2m_total_pages++;
         page_list_add_tail(pg, &d->arch.paging.p2m_freelist);
-    }
     spin_unlock(&d->arch.paging.lock);
 }
 
-- 
2.11.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.