ia64/linux-2.6.18-xen.hg

changeset 438:99478ffd81ee

[IA64] Fix vulnerability of privcmd_mmap

empty_zero_page can be polluted by writing to a page through
privcmd_mmap(). i.e. a user program can hang a privileged
domain (dom0), although root privilege is required.

Resetting the VM_PFNMAP flag is a little bit kludgy, but
fixes the issue.

After this patch is applied, other patches to Qemu become
necessary to create a HVM domain.

Signed-off-by: Kouya Shimura <kouya@jp.fujitsu.com>
author Alex Williamson <alex.williamson@hp.com>
date Fri Feb 22 08:36:10 2008 -0700 (2008-02-22)
parents 4b9f2293d750
children 30993af85114
files arch/ia64/xen/hypervisor.c
line diff
     1.1 --- a/arch/ia64/xen/hypervisor.c	Fri Feb 22 10:06:03 2008 +0000
     1.2 +++ b/arch/ia64/xen/hypervisor.c	Fri Feb 22 08:36:10 2008 -0700
     1.3 @@ -653,6 +653,12 @@ xen_ia64_privcmd_entry_mmap(struct vm_ar
     1.4  
     1.5  	prot = vma->vm_page_prot;
     1.6  	error = remap_pfn_range(vma, addr, gpfn, 1 << PAGE_SHIFT, prot);
     1.7 +	/*
     1.8 +	 * VM_PFNMAP is set in remap_pfn_range().
     1.9 +	 * Reset the flag to avoid BUG_ON() in do_no_page().
    1.10 +	 */
    1.11 +	vma->vm_flags &= ~VM_PFNMAP;
    1.12 +
    1.13  	if (error != 0) {
    1.14  		error = HYPERVISOR_zap_physmap(gpfn, 0);
    1.15  		if (error)
    1.16 @@ -706,9 +712,18 @@ xen_ia64_privcmd_entry_close(struct xen_
    1.17  static void xen_ia64_privcmd_vma_open(struct vm_area_struct *vma);
    1.18  static void xen_ia64_privcmd_vma_close(struct vm_area_struct *vma);
    1.19  
    1.20 +static struct page *
    1.21 +xen_ia64_privcmd_vma_nopage(struct vm_area_struct *vma,
    1.22 +			    unsigned long address,
    1.23 +			    int *type)
    1.24 +{
    1.25 +	return NOPAGE_SIGBUS;
    1.26 +}
    1.27 +
    1.28  struct vm_operations_struct xen_ia64_privcmd_vm_ops = {
    1.29 -	.open = &xen_ia64_privcmd_vma_open,
    1.30 -	.close = &xen_ia64_privcmd_vma_close,
    1.31 +	.open = xen_ia64_privcmd_vma_open,
    1.32 +	.close = xen_ia64_privcmd_vma_close,
    1.33 +	.nopage = xen_ia64_privcmd_vma_nopage
    1.34  };
    1.35  
    1.36  static void
    1.37 @@ -832,7 +847,7 @@ privcmd_mmap(struct file * file, struct 
    1.38  	privcmd_range->res = res;
    1.39  
    1.40  	/* DONTCOPY is essential for Xen as copy_page_range is broken. */
    1.41 -	vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY | VM_PFNMAP;
    1.42 +	vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY;
    1.43  
    1.44  	atomic_set(&privcmd_range->ref_count, 1);
    1.45  	privcmd_range->pgoff = vma->vm_pgoff;