[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] x86/hvm: be more strict with XENMAPSPACE_gmfn source types

  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: Roger Pau Monne <roger.pau@xxxxxxxxxx>
  • Date: Fri, 5 Dec 2025 10:31:51 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KAe3cOIb2k2ogki3qI/S/r4WjMX1NpVeAP258/DgzPo=; b=GsCEBQIaGGll/9eL/7KO4j3fW/TmLtjHf0ACkKRg0DrXNfZOcDo99R/PYfiXojZ85stCo+hKg26uHTECg0PF49OK3tT5Fom8KaoLyrTsDqPQflS0i+upW4PazioXo7On7HhSiwa+vos0rv8HucLeWB8UFiDCWNa/Vq+/jqYA7mx60sIthvtyiZJ+knJuSij8CXkHFFqve7QpyN6cxDJCKbSqalOOE0C6vo8OOBZvV3CyCE1ECNxTXdDmHP2BSEoLe6fB9X9WcxBZnBbo8cRD59K88wg0KuJGAN1cteTbDjLuvgRYPQFkIXkZEv51Y7EDw7H4hOadC+utQuvrg+aMpw==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=meBn9RT2/+V76vF8s4ASXRvYyjqqRbx4qa8Nc1P8l9xO9C1U1fR/Lj9kWQqkk2rQRzxLf0nfmRB3zZlKeYnRdwsjUVV/vYdFi+GIJc0k8MKsPS5CJcswib+SmRgCXyVltL5CWE9MbmSNbwgV9aospyNzmsXG4t5sshUo5MINzE6YSEFDImrPmTPrw+YDtSJLUsfst+nTsT4lUDlXvqVXlPzXz9jFWe8V8InDpYUfHmx89zgXU1a/1BPyzkgPYfvAxxZ5wQjBuH/D1jgrHcjTEOK2Q6ctx1dJMZ23HVYQIC5G6Fjc+cqeOuBXfxFwZXavpUeHwtp6z+RdSJ0cePm8FQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Delivery-date: Fri, 05 Dec 2025 09:32:43 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
XENMAPSPACE_gmfn{_range} allows moving gfn around the guest p2m: the mfn
behind the source gfn is zapped from the origin and mapped at the
requested destination gfn.  The destination p2m entries are always created
with type p2m_ram_rw.

With the current checking done in xenmem_add_to_physmap_one() it's possible
to use XENMAPSPACE_gmfn{_range} to change the type of a p2m entry.  The
source gfn is only checked to be not shared, and that the underlying page
is owned by the domain.

Make the source checks more strict, by checking that the source gfn is of
type p2m_ram_rw.  That prevents the operation from inadvertently changing
the type as part of the move.

Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
The change was discussed internally by the security team and deemed not a
security issue.
---
 xen/arch/x86/mm/p2m.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index e2a00a0efd0c..452b2f8f0f10 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -2007,11 +2007,15 @@ int xenmem_add_to_physmap_one(
     {
         gmfn = idx;
         mfn = get_gfn_unshare(d, gmfn, &p2mt);
-        /* If the page is still shared, exit early */
-        if ( p2m_is_shared(p2mt) )
+        /*
+         * The entry at the destination gfn will be created as type p2m_ram_rw.
+         * Only allow moving source gfns with p2m_ram_rw type to avoid
+         * unexpected p2m type changes as a result of the operation.
+         */
+        if ( p2mt != p2m_ram_rw )
         {
             put_gfn(d, gmfn);
-            return -ENOMEM;
+            return -EACCES;
         }
         page = get_page_from_mfn(mfn, d);
         if ( unlikely(!page) )
-- 
2.51.0

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.