[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-ia64-devel] [PATCH][Linux] fix vulnerability of privcmd_mmap

To: xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
From: Kouya Shimura <kouya@xxxxxxxxxxxxxx>
Date: Thu, 21 Feb 2008 17:42:44 +0900
Delivery-date: Thu, 21 Feb 2008 00:43:20 -0800
List-id: Discussion of the ia64 port of Xen <xen-ia64-devel.lists.xensource.com>

Hi,

empty_zero_page can be polluted by writing to a page
through privcmd_mmap(). 
i.e. a user program can hang a privileged domain (dom0),
although root privilege is required.

An attached patch fixes it. resetting the VM_PFNMAP flag
is a little bit kludge. Is there any better solution?

After this patch is applied, other patches to Qemu become
necessary to create a HVM domain. I'll post them later.

Thanks,
Kouya

Signed-off-by: Kouya Shimura <kouya@xxxxxxxxxxxxxx>

diff -r 65a419f81336 arch/ia64/xen/hypervisor.c
--- a/arch/ia64/xen/hypervisor.c        Tue Feb 19 11:22:24 2008 -0700
+++ b/arch/ia64/xen/hypervisor.c        Thu Feb 21 15:58:39 2008 +0900
@@ -653,6 +653,12 @@ xen_ia64_privcmd_entry_mmap(struct vm_ar
 
        prot = vma->vm_page_prot;
        error = remap_pfn_range(vma, addr, gpfn, 1 << PAGE_SHIFT, prot);
+       /*
+        * VM_PFNMAP is set in remap_pfn_range().
+        * Reset the flag to avoid BUG_ON() in do_no_page().
+        */
+       vma->vm_flags &= ~VM_PFNMAP;
+
        if (error != 0) {
                error = HYPERVISOR_zap_physmap(gpfn, 0);
                if (error)
@@ -706,9 +712,18 @@ static void xen_ia64_privcmd_vma_open(st
 static void xen_ia64_privcmd_vma_open(struct vm_area_struct *vma);
 static void xen_ia64_privcmd_vma_close(struct vm_area_struct *vma);
 
+static struct page *
+xen_ia64_privcmd_vma_nopage(struct vm_area_struct *vma,
+                           unsigned long address,
+                           int *type)
+{
+       return NOPAGE_SIGBUS;
+}
+
 struct vm_operations_struct xen_ia64_privcmd_vm_ops = {
-       .open = &xen_ia64_privcmd_vma_open,
-       .close = &xen_ia64_privcmd_vma_close,
+       .open = xen_ia64_privcmd_vma_open,
+       .close = xen_ia64_privcmd_vma_close,
+       .nopage = xen_ia64_privcmd_vma_nopage
 };
 
 static void
@@ -832,7 +847,7 @@ privcmd_mmap(struct file * file, struct 
        privcmd_range->res = res;
 
        /* DONTCOPY is essential for Xen as copy_page_range is broken. */
-       vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY | VM_PFNMAP;
+       vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY;
 
        atomic_set(&privcmd_range->ref_count, 1);
        privcmd_range->pgoff = vma->vm_pgoff;

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel

Follow-Ups:
- Re: [Xen-ia64-devel] [PATCH][Linux] fix vulnerability of privcmd_mmap
  - From: Alex Williamson

Prev by Date: RE: [Xen-ia64-devel] Open GFW for RHEL release.
Next by Date: [Xen-devel] [PATCH 02/11] xen: add missing VIRQ_ARCH_definitions which ia64/xen needs.
Previous by thread: [Xen-ia64-devel] [PATCH][Open GFW] Remove annoying debug messages on a serial console
Next by thread: Re: [Xen-ia64-devel] [PATCH][Linux] fix vulnerability of privcmd_mmap
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.