[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] x86/hvm: be more strict with XENMAPSPACE_gmfn source types
- To: xen-devel@xxxxxxxxxxxxxxxxxxxx
- From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Date: Fri, 5 Dec 2025 11:11:10 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TFp2gWvhz88ECDiE3DmTP3jvDKyxuydcZtQ3k3DOMGI=; b=rRUwYcdCQaL/lb8HDtoe/oqyqNkzpV1PGCIPaSCTypDn7sD5YugB772hsqSF4fhXc6LjBd2DQrCELA0mur+sK8ZiOVL3WfGJtNBm/sb0xttcuTXF5pbxERfH7zwMYcK+5+F6afQx2YN2eEj4U9pHea00TRPZj4EhDf74FrfVssV0C9wRDcsGg9lJn/IUhoLRCrTFpPsyh0/O30Qv8Xy11nMYTrse7MnCVdwXT2IKg/2ZO5qZ8bBaO+DGeiyfWCfFibSKu9uUmJlVJe+muSG+V2/2oARstqUCPJfcJB23aQLTgEzecoqjwJblVNPx92Vxz3UJVSEMap5IbAj34oksZw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=AgbdRS9ToWCSluHTY7lMM5gbJu0FvwZfkmst/WHCRtObLonwhDblK/wp/L+1bAsw4zqjrSIiiVaWfRd9Zq9hIwaKh2RDnbkOzlsBl3dPr5BYKV5CYlenbC2qPsqo+xXbsJT9AbeAXk4O5104ymdJSu24V6y/csxbIdg+HLrkrLYAAuB6HZdYKXjRqcLD3YBTlW9N9iM5qS23n8cjWyTO9eOG2ygaT1sTG8exKDd+SC9Dgk6L6lrtdCYqwvOEzFctnatKeSMODlywzHaRQ7eSdhwgSZZdYQawKnEf1XaC7lq2nuluYksJExbuaZcwlB+yuAAJSeLyKz6FxObEgPAzgQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Delivery-date: Fri, 05 Dec 2025 10:11:32 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Fri, Dec 05, 2025 at 10:31:51AM +0100, Roger Pau Monne wrote:
> XENMAPSPACE_gmfn{_range} allows moving gfn around the guest p2m: the mfn
> behind the source gfn is zapped from the origin and mapped at the
> requested destination gfn. The destination p2m entries are always created
> with type p2m_ram_rw.
>
> With the current checking done in xenmem_add_to_physmap_one() it's possible
> to use XENMAPSPACE_gmfn{_range} to change the type of a p2m entry. The
> source gfn is only checked to be not shared, and that the underlying page
> is owned by the domain.
>
> Make the source checks more strict, by checking that the source gfn is of
> type p2m_ram_rw. That prevents the operation from inadvertently changing
> the type as part of the move.
This is missing:
Fixes: 3e50af3d8776 ('New XENMAPSPACE_gmfn parameter for
XENMEM_add_to_physmap.')
The hypercall was missing any p2m type checks since introduction.
It's possible the get_page() seemed enough, but it was dangerous to
not account for new incompatible p2m types being added down the road.
Thanks, Roger.
|
