[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2] gnttab: don't silently truncate GFNs in compat setup-table handling

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Fri, 2 Dec 2022 10:46:36 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=535S2e3PBAXBJycWTq5nnuXtVmPz1++/Yp9MQ94s6S8=; b=IcnXttkoeh+MLtcEpjislOzLXd4M7M83yqIPNi+iNz6OtQa0EReZESYGARsFwC91CYeMxKKqbliiqrUg2af59kID65XUp80fJAr6LKqhTei9ILvBE51aAWJK1Z1jpffN5ZfgxX3K/VlJdMr6LlGyICUbBdal1XGbToaYIlu5WngqNJyt0TQCWR5zACmpI2cMrV7nTUJcIfW+S5nz9RJQ4ABnEGpJPsEkKM/l05cHEv/8OYbCrjUPoyuKXpQ2IaQrQFhMaTIIj9eIS0aEFjb+GlAntxf3Z0Mgx176gm34lMR1LWcU6OM5SW5qCQrdfXvCidpm020BXuLtMJI5y1qkqQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BoIFhcN+ShJK34TfM7uAX6BVdHH6KOxqH/Z6c5k7OoYqJk3nDCPQ6MuiBigDdzUGbQJxtJrf8rOYUcCtxOM8g2BFbGEJFcxW3lWEatDMlv8fX+o2dkKdiZBfJnKWrQRYDqlKVU2MyOrktW0bTUB84AEO13sD4XRV8yDuO5EeEfatXpdBJapyN+Dc+qXSxY84UzuDCoCohlbT3ktjoXL+ELlYu8YUOnwZ2Ttn2UKsYp4bsJZpbBrzts0KfH9kiX+2ICEwogikiIXZRvMcbD3W7ieNXX76X0eXWXh1B2Vml/SC9xaPFOfg/awOTG5wcycoz4aQWKXGVagGRZX329YwxQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>
  • Delivery-date: Fri, 02 Dec 2022 09:46:51 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Returning back truncated frame numbers is unhelpful: Quite likely
they're not owned by the domain (if it's PV), or we may misguide the
guest into writing grant entries into a page that it actually uses for
other purposes.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
v2: Drop use of VALID_M2P(). Use "break". Move type change for "frame"
    here (from earlier patch).
---
RFC: Arguably in the 32-bit PV case it may be necessary to instead put
     in place an explicit address restriction when allocating
     ->shared_raw[N]. This is currently implicit by alloc_xenheap_page()
     only returning memory covered by the direct-map.

--- unstable.orig/xen/common/compat/grant_table.c       2022-10-10 
11:02:21.198223952 +0200
+++ unstable/xen/common/compat/grant_table.c    2022-10-10 10:31:25.000000000 
+0200
@@ -176,7 +176,12 @@ int compat_grant_table_op(
                     { \
                         for ( i = 0; i < (_s_)->nr_frames; ++i ) \
                         { \
-                            unsigned int frame = (_s_)->frame_list.p[i]; \
+                            compat_pfn_t frame = (_s_)->frame_list.p[i]; \
+                            if ( frame != (_s_)->frame_list.p[i] ) \
+                            { \
+                                (_s_)->status = GNTST_address_too_big; \
+                                break; \
+                            } \
                             if ( __copy_to_compat_offset((_d_)->frame_list, \
                                                          i, &frame, 1) ) \
                             { \

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.