x86: Disable the use of auto-translated PV guests

This is a minimal backport of c/s 92942fd3d469 "x86/mm: drop
guest_{map,get_eff}_l1e() hooks" from Xen 4.7, which stated:

  Disallow the unmaintained and presumed broken translated-but-not-external
  paging mode combination ...

It turns out that this mode is insecure to run with, as opposed to just simply
broken.

This is part of XSA-243.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c
index 37e2a12c29522cf7dfe16cc237a010662ea8fbec..8d7f5cbc319cc85bc465fa145f0efcdeb095ae3a 100644 (file)
--- a/xen/arch/x86/mm/paging.c
+++ b/xen/arch/x86/mm/paging.c
@@ -815,6 +815,15 @@ void paging_final_teardown(struct domain *d)
  * creation. */
 int paging_enable(struct domain *d, u32 mode)
 {
+    switch ( mode & (PG_external | PG_translate) )
+    {
+    case 0:
+    case PG_external | PG_translate:
+        break;
+    default:
+        return -EINVAL;
+    }
+
     if ( hap_enabled(d) )
         return hap_enable(d, mode | PG_HAP_enable);
     else