[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] x86/domain: adjust limitation on shared_info allocation below 4G

  • To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Thu, 5 Feb 2026 19:37:41 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yFQYl0Y5OkRfjuc7gvQp0cFLG9spXPKgUMOz33RxD3I=; b=rfCv2UrpZgP6g1+13tprW1ud0ZGnk/asd14Ews43RX1yHtz04hZXh2bF1NfVi0pAYnUEVzvgaxS2pWnXwhqRK/MVV86h/BHm2AR8QNdELcq9VcTdbZyIqf+YUU9JMSU3r+Ejq6o9bDtjwJ76XeltLwaN2bvWopWliBbAkm/DZIZAnesSdoOOxAa8P4l1Y5NoIidqBY6/hQvlVeH4bfJeFvhKaNGvd1J8+aynMP/m8AgkuPYgOvXZ/TftSv+YAR2ckW+QxYQ8rbjL2vFsvJQK+R245i0rIF31fPKwhaw16mgZHLQFq+4hacTRwg1apLkMS7w8cUAqXzgcWJpbkVlW4Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=TZo5Dro6s46edGVxFMMy7nFF72MRftPhLD3h/vxRbno0ZF9H3P6jiueO8GkPS7ORZczpAoSeJGC+7SjIYJLtf9nniQWTTyHI7eb09x6yhRcCHSRoAuku5VZWo+OFPeLsHuw3ux+krQPLgzmH87vYvohqA5v7dIemHRdvu1KlcBbODZpLs7EAubleGaiAK0HPB8Ub/f0Ojw4u7XsJllUREhv/fbnzmLC0hjP8nMaegvHDf+TE7unSMh8Rrx0Nhvvj76/3pIB2Gok8N9XDfXbIWJtpMGl61HOCE4bLo3t3fosZJCap2nK7LTHniddrUp9cBEBv/n2Accs5Kftt/n4J/Q==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Jan Beulich <jbeulich@xxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>
  • Delivery-date: Thu, 05 Feb 2026 18:37:56 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Feb 05, 2026 at 06:31:04PM +0000, Andrew Cooper wrote:
> On 05/02/2026 8:03 am, Roger Pau Monne wrote:
> > diff --git a/xen/arch/x86/pv/domain.c b/xen/arch/x86/pv/domain.c
> > index 01499582d2d6..e3273b49269d 100644
> > --- a/xen/arch/x86/pv/domain.c
> > +++ b/xen/arch/x86/pv/domain.c
> > @@ -247,6 +247,34 @@ int switch_compat(struct domain *d)
> >      d->arch.has_32bit_shinfo = 1;
> >      d->arch.pv.is_32bit = true;
> >  
> > +    /*
> > +     * For 32bit PV guests the shared_info machine address must fit in a 
> > 32-bit
> > +     * field within the guest's start_info structure.  We might need to 
> > free
> > +     * the current page and allocate a new one that fulfills this 
> > requirement.
> > +     */
> > +    if ( virt_to_maddr(d->shared_info) >> 32 )
> > +    {
> > +        shared_info_t *prev = d->shared_info;
> > +
> > +        d->shared_info = alloc_xenheap_pages(0, MEMF_bits(32));
> > +        if ( !d->shared_info )
> > +        {
> > +            d->shared_info = prev;
> > +            rc = -ENOMEM;
> > +            goto undo_and_fail;
> > +        }
> > +        put_page(virt_to_page(prev));
> > +        clear_page(d->shared_info);
> > +        share_xen_page_with_guest(virt_to_page(d->shared_info), d, 
> > SHARE_rw);
> > +        /*
> > +         * Ensure all pointers to the old shared_info page are replaced.  
> > vCPUs
> > +         * below XEN_LEGACY_MAX_VCPUS will stash a pointer to
> > +         * shared_info->vcpu_info[id].
> > +         */
> > +        for_each_vcpu ( d, v )
> > +            vcpu_info_reset(v);
> 
> Sorry, I missed something.  Reading this in full, there's an obvious
> (risk of) UAF.
> 
> put_page(virt_to_page(prev)) needs to be no earlier than here, or we've
> freed a page that we still have pointers pointing at.
> 
> In practice, I expect that the global domctl lock protects us from
> anything actually going wrong.
> 
> Nevertheless, for the sake of reordering the actions in this block, lets
> just fix it.

Yeah, I've already made that change.  At this point in the domain life
cycle and with d->tot_pages == 0 and the domctl lock held, the vcpu
info area shouldn't be updated in parallel to the bitnewss being
changed, but better make this in the right order.

Thanks for spotting, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.