x86/mm: Prevent 32bit PV guests using out-of-range linear addresses

The grant ABI uses 64 bit values, and allows a PV guest to specify linear
addresses.  There is nothing interesting a 32bit PV guest can reference which
will pass an __addr_ok() check (and therefore succeed), but we should still
explicitly check and reject such an attempt.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index d09cb3921d3491fbf4aac8ef37f454ade4811baf..5208e7373406e26382d39e4bc1e587dd75c3275a 100644 (file)
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -3868,6 +3868,10 @@ int create_grant_pv_mapping(uint64_t addr, unsigned long frame,
     }
     else
     {
+        /* Guest trying to pass an out-of-range linear address? */
+        if ( is_pv_32bit_domain(currd) && addr != (uint32_t)addr )
+            goto out;
+
         pl1e = map_guest_l1e(addr, &gl1mfn);
 
         if ( !pl1e )
@@ -4019,6 +4023,19 @@ int replace_grant_pv_mapping(uint64_t addr, unsigned long frame,
     }
     else
     {
+        if ( is_pv_32bit_domain(currd) )
+        {
+            if ( addr != (uint32_t)addr )
+            {
+                ASSERT_UNREACHABLE();
+                goto out;
+            }
+
+            /* Guest trying to pass an out-of-range linear address? */
+            if ( new_addr != (uint32_t)new_addr )
+                goto out;
+        }
+
         if ( new_addr && !steal_linear_address(new_addr, &nl1e) )
             goto out;