xen/arm: Restrict the amount of memory that dom0less domU and dom0 can allocate

Currently, both dom0less domUs and dom0 can allocate an "unlimited"
amount of memory because d->max_pages is set to ~0U.

In particular, the former are meant to be unprivileged. Therefore the
memory they could allocate should be bounded. As the domain are not yet
officially aware of Xen (we don't expose advertise it in the DT, yet
the hypercalls are accessible), they should not need to allocate more
than the initial amount. So cap set d->max_pages directly the amount of
memory we are meant to allocate.

Take the opportunity to also restrict the memory for dom0 as the
domain is direct mapped (e.g. MFN == GFN) and therefore cannot
allocate outside of the pre-allocated region.

This is CVE-2021-28700 / XSA-383.

Reported-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Tested-by: Stefano Stabellini <sstabellini@kernel.org>
master commit: c08d68cd2aacbc7cb56e73ada241bfe4639bbc68
master date: 2021-08-25 14:19:31 +0200

diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
index 6c5a6db1446653720ad0be49175317bbbf4af9fb..c3553ce4c49e0e3e625835069e9c15eed779c15c 100644 (file)
--- a/xen/arch/arm/domain_build.c
+++ b/xen/arch/arm/domain_build.c
@@ -2028,7 +2028,8 @@ static int __init construct_domU(struct domain *d,
 
     if ( vcpu_create(d, 0, 0) == NULL )
         return -ENOMEM;
-    d->max_pages = ~0U;
+
+    d->max_pages = ((paddr_t)mem * SZ_1K) >> PAGE_SHIFT;
 
     kinfo.d = d;
 
@@ -2116,7 +2117,7 @@ int __init construct_dom0(struct domain *d)
 
     iommu_hwdom_init(d);
 
-    d->max_pages = ~0U;
+    d->max_pages = dom0_mem >> PAGE_SHIFT;
 
     kinfo.unassigned_mem = dom0_mem;
     kinfo.d = d;