domctl: don't allow a toolstack domain to call domain_pause() on itself

These DOMCTL subops were accidentally declared safe for disaggregation
in the wake of XSA-77.

This is XSA-127 / CVE-2015-2751.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 306297aa1fed75fef75793bebcf8f65f45a8fb0d..07000de4b1d8aa0404c9f869af6f08a216e00f61 100644 (file)
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -946,6 +946,10 @@ long arch_do_domctl(
     {
         xen_guest_tsc_info_t info;
 
+        ret = -EINVAL;
+        if ( d == current->domain ) /* no domain_pause() */
+            break;
+
         domain_pause(d);
         tsc_get_info(d, &info.tsc_mode,
                         &info.elapsed_nsec,
@@ -961,6 +965,10 @@ long arch_do_domctl(
 
     case XEN_DOMCTL_settscinfo:
     {
+        ret = -EINVAL;
+        if ( d == current->domain ) /* no domain_pause() */
+            break;
+
         domain_pause(d);
         tsc_set_info(d, domctl->u.tsc_info.info.tsc_mode,
                      domctl->u.tsc_info.info.elapsed_nsec,

diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index bc8e9d8d7c513f8100fec4862f09699f64e21405..53c9d9195af0b083998693125305feaf8f8cc263 100644 (file)
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -391,8 +391,10 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
 
     case XEN_DOMCTL_resumedomain:
     {
-        domain_resume(d);
-        ret = 0;
+        if ( d == current->domain ) /* no domain_pause() */
+            ret = -EINVAL;
+        else
+            domain_resume(d);
     }
     break;