[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] x86/domctl: Reject XEN_DOMCTL_hypercall_init against oneself

To: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Wed, 6 Aug 2025 17:55:43 +0100
Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Frediano Ziglio <frediano.ziglio@xxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
Delivery-date: Wed, 06 Aug 2025 16:55:50 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

A toolstack is expected to use XEN_DOMCTL_hypercall_init where applicable to
construct a new guest, but is absolutely not expected to use it against
itself.  Kernels have a stable ABI for accessing the same functionality, via
MSR 0x40000000.

Found when auditing hypercalls for Host UEFI-SecureBoot safety.

Reported-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Anthony PERARD <anthony.perard@xxxxxxxxxx>
CC: Michal Orzel <michal.orzel@xxxxxxx>
CC: Jan Beulich <jbeulich@xxxxxxxx>
CC: Julien Grall <julien@xxxxxxx>
CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
CC: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
CC: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
---
 xen/arch/x86/domctl.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 3044f706de1c..bf1ee4ed51a0 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -372,6 +372,14 @@ long arch_do_domctl(
         struct page_info *page;
         void *hypercall_page;
 
+        /*
+         * Kernels should use the MSR method to get a hypercall page.  The
+         * toolstack should not be using the DOMCTL on itself.
+         */
+        ret = -EINVAL;
+        if ( d == currd )
+            break;
+
         page = get_page_from_gfn(d, gmfn, NULL, P2M_ALLOC);
 
         if ( !page || !get_page_type(page, PGT_writable_page) )

base-commit: 68797a710f4e91cc09fe5650ee14478316010f88
-- 
2.39.5

Follow-Ups:
- Re: [PATCH] x86/domctl: Reject XEN_DOMCTL_hypercall_init against oneself
  - From: Jan Beulich
- Re: [PATCH] x86/domctl: Reject XEN_DOMCTL_hypercall_init against oneself
  - From: Andrew Cooper

Prev by Date: Re: [PATCH v7 3/6] xen/arm: ffa: Introduce VM to VM support
Next by Date: Re: [PATCH v4] misra: add deviations of MISRA C Rule 5.5
Previous by thread: Re: [PATCH v3 13/20] xen/riscv: Implement p2m_free_subtree() and related helpers
Next by thread: Re: [PATCH] x86/domctl: Reject XEN_DOMCTL_hypercall_init against oneself
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.