ia64/xen-unstable

changeset 12507:781ea5017f18

[XEN] Restrict access to grant-mapping operations.
TLB flushing is not done strictly before notifying
the mappee -- this creates scope for multi-processor
mapping guests to attempt to abuse a stale mapping
on another VCPU.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author kfraser@localhost.localdomain
date Fri Nov 17 10:48:34 2006 +0000 (2006-11-17)
parents 075f4ffdbbce
children 726960294d4b
files xen/common/grant_table.c xen/include/xen/iocap.h
line diff
     1.1 --- a/xen/common/grant_table.c	Fri Nov 17 10:34:08 2006 +0000
     1.2 +++ b/xen/common/grant_table.c	Fri Nov 17 10:48:34 2006 +0000
     1.3 @@ -24,6 +24,8 @@
     1.4   * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
     1.5   */
     1.6  
     1.7 +#include <xen/config.h>
     1.8 +#include <xen/iocap.h>
     1.9  #include <xen/lib.h>
    1.10  #include <xen/sched.h>
    1.11  #include <xen/shadow.h>
    1.12 @@ -991,6 +993,9 @@ do_grant_table_op(
    1.13              guest_handle_cast(uop, gnttab_map_grant_ref_t);
    1.14          if ( unlikely(!guest_handle_okay(map, count)) )
    1.15              goto out;
    1.16 +        rc = -EPERM;
    1.17 +        if ( unlikely(!grant_flip_permitted(d)) )
    1.18 +            goto out;
    1.19          rc = gnttab_map_grant_ref(map, count);
    1.20          break;
    1.21      }
    1.22 @@ -1000,6 +1005,9 @@ do_grant_table_op(
    1.23              guest_handle_cast(uop, gnttab_unmap_grant_ref_t);
    1.24          if ( unlikely(!guest_handle_okay(unmap, count)) )
    1.25              goto out;
    1.26 +        rc = -EPERM;
    1.27 +        if ( unlikely(!grant_flip_permitted(d)) )
    1.28 +            goto out;
    1.29          rc = gnttab_unmap_grant_ref(unmap, count);
    1.30          break;
    1.31      }
    1.32 @@ -1015,6 +1023,9 @@ do_grant_table_op(
    1.33              guest_handle_cast(uop, gnttab_transfer_t);
    1.34          if ( unlikely(!guest_handle_okay(transfer, count)) )
    1.35              goto out;
    1.36 +        rc = -EPERM;
    1.37 +        if ( unlikely(!grant_flip_permitted(d)) )
    1.38 +            goto out;
    1.39          rc = gnttab_transfer(transfer, count);
    1.40          break;
    1.41      }
     2.1 --- a/xen/include/xen/iocap.h	Fri Nov 17 10:34:08 2006 +0000
     2.2 +++ b/xen/include/xen/iocap.h	Fri Nov 17 10:48:34 2006 +0000
     2.3 @@ -31,4 +31,12 @@
     2.4  #define multipage_allocation_permitted(d)               \
     2.5      (!rangeset_is_empty((d)->iomem_caps))
     2.6  
     2.7 +/*
     2.8 + * Until TLB flushing issues are sorted out we consider it unsafe for
     2.9 + * domains with no hardware-access privileges to perform grant map/transfer
    2.10 + * operations.
    2.11 + */
    2.12 +#define grant_operations_permitted(d)                   \
    2.13 +    (!rangeset_is_empty((d)->iomem_caps))
    2.14 +
    2.15  #endif /* __XEN_IOCAP_H__ */