Julien Grall
2013-Oct-23 16:28 UTC
[PATCH] xen/arm: add_to_physmap_one: Avoid to map mfn 0 if an error occurs
By default, the function add_to_physmap_one set mfn to 0. Some code paths that
result to an error, continue and the map the mfn 0 (valid on ARM) to the
slot given by the guest.
To fix the problem, return directly an error if sanity check has failed.
Signed-off-by: Julien Grall <julien.grall@linaro.org>
---
xen/arch/arm/mm.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c
index 474dfef..eaeb0c3 100644
--- a/xen/arch/arm/mm.c
+++ b/xen/arch/arm/mm.c
@@ -981,6 +981,8 @@ static int xenmem_add_to_physmap_one(
idx &= ~XENMAPIDX_grant_table_status;
if ( idx < nr_status_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->status[idx]);
+ else
+ return -EINVAL;
}
else
{
@@ -990,6 +992,8 @@ static int xenmem_add_to_physmap_one(
if ( idx < nr_grant_frames(d->grant_table) )
mfn = virt_to_mfn(d->grant_table->shared_raw[idx]);
+ else
+ return -EINVAL;
}
d->arch.grant_table_gpfn[idx] = gpfn;
@@ -999,6 +1003,8 @@ static int xenmem_add_to_physmap_one(
case XENMAPSPACE_shared_info:
if ( idx == 0 )
mfn = virt_to_mfn(d->shared_info);
+ else
+ return -EINVAL;
break;
case XENMAPSPACE_gmfn_foreign:
{
--
1.8.3.1
Tim Deegan
2013-Oct-24 08:11 UTC
Re: [PATCH] xen/arm: add_to_physmap_one: Avoid to map mfn 0 if an error occurs
At 17:28 +0100 on 23 Oct (1382545727), Julien Grall wrote:> By default, the function add_to_physmap_one set mfn to 0. Some code paths that > result to an error, continue and the map the mfn 0 (valid on ARM) to the > slot given by the guest. > > To fix the problem, return directly an error if sanity check has failed. > > Signed-off-by: Julien Grall <julien.grall@linaro.org>Acked-by: Tim Deegan <tim@xen.org>> --- > xen/arch/arm/mm.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c > index 474dfef..eaeb0c3 100644 > --- a/xen/arch/arm/mm.c > +++ b/xen/arch/arm/mm.c > @@ -981,6 +981,8 @@ static int xenmem_add_to_physmap_one( > idx &= ~XENMAPIDX_grant_table_status; > if ( idx < nr_status_frames(d->grant_table) ) > mfn = virt_to_mfn(d->grant_table->status[idx]); > + else > + return -EINVAL; > } > else > { > @@ -990,6 +992,8 @@ static int xenmem_add_to_physmap_one( > > if ( idx < nr_grant_frames(d->grant_table) ) > mfn = virt_to_mfn(d->grant_table->shared_raw[idx]); > + else > + return -EINVAL; > } > > d->arch.grant_table_gpfn[idx] = gpfn; > @@ -999,6 +1003,8 @@ static int xenmem_add_to_physmap_one( > case XENMAPSPACE_shared_info: > if ( idx == 0 ) > mfn = virt_to_mfn(d->shared_info); > + else > + return -EINVAL; > break; > case XENMAPSPACE_gmfn_foreign: > { > -- > 1.8.3.1 >
Stefano Stabellini
2013-Oct-24 10:22 UTC
Re: [PATCH] xen/arm: add_to_physmap_one: Avoid to map mfn 0 if an error occurs
On Wed, 23 Oct 2013, Julien Grall wrote:> By default, the function add_to_physmap_one set mfn to 0. Some code paths that > result to an error, continue and the map the mfn 0 (valid on ARM) to the > slot given by the guest. > > To fix the problem, return directly an error if sanity check has failed. > > Signed-off-by: Julien Grall <julien.grall@linaro.org>Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>> xen/arch/arm/mm.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c > index 474dfef..eaeb0c3 100644 > --- a/xen/arch/arm/mm.c > +++ b/xen/arch/arm/mm.c > @@ -981,6 +981,8 @@ static int xenmem_add_to_physmap_one( > idx &= ~XENMAPIDX_grant_table_status; > if ( idx < nr_status_frames(d->grant_table) ) > mfn = virt_to_mfn(d->grant_table->status[idx]); > + else > + return -EINVAL; > } > else > { > @@ -990,6 +992,8 @@ static int xenmem_add_to_physmap_one( > > if ( idx < nr_grant_frames(d->grant_table) ) > mfn = virt_to_mfn(d->grant_table->shared_raw[idx]); > + else > + return -EINVAL; > } > > d->arch.grant_table_gpfn[idx] = gpfn; > @@ -999,6 +1003,8 @@ static int xenmem_add_to_physmap_one( > case XENMAPSPACE_shared_info: > if ( idx == 0 ) > mfn = virt_to_mfn(d->shared_info); > + else > + return -EINVAL; > break; > case XENMAPSPACE_gmfn_foreign: > { > -- > 1.8.3.1 >
Ian Campbell
2013-Oct-24 14:00 UTC
Re: [PATCH] xen/arm: add_to_physmap_one: Avoid to map mfn 0 if an error occurs
On Wed, 2013-10-23 at 17:28 +0100, Julien Grall wrote:> By default, the function add_to_physmap_one set mfn to 0. Some code paths that > result to an error, continue and the map the mfn 0 (valid on ARM) to the > slot given by the guest. > > To fix the problem, return directly an error if sanity check has failed. > > Signed-off-by: Julien Grall <julien.grall@linaro.org>applied,thanks.
Reasonably Related Threads
- Bug#800128: xen: CVE-2015-6654: printk is not rate-limited in xenmem_add_to_physmap_one
- [PATCH v2 1/2] xenconsoled: use grant references instead of map_foreign_range
- [V6 PATCH 0/7]: PVH dom0....
- xc_map_foreign_range with mfn?
- xc_translate_foreign_address() returns mfn??