Tools: After a helper maps a ring, yank it from the guest physmap

This limits the ability of the guest to play around with its own rings, and DoS
itself.

Signed-off-by: Andres Lagar-Cavilla <andres@lagarcavilla.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Tim Deegan <tim@xen.org>

diff --git a/tools/tests/xen-access/xen-access.c b/tools/tests/xen-access/xen-access.c
index fce886432ad949b860b7fc55b8e706b2f79b7586..b861aff323e4b8b84ae8c7aa5ce4bcc5b5aede78 100644 (file)
--- a/tools/tests/xen-access/xen-access.c
+++ b/tools/tests/xen-access/xen-access.c
@@ -269,6 +269,11 @@ xenaccess_t *xenaccess_init(xc_interface **xch_r, domid_t domain_id)
                    (mem_event_sring_t *)xenaccess->mem_event.ring_page,
                    PAGE_SIZE);
 
+    /* Now that the ring is set, remove it from the guest's physmap */
+    if ( xc_domain_decrease_reservation_exact(xch, 
+                    xenaccess->mem_event.domain_id, 1, 0, &ring_pfn) )
+        PERROR("Failed to remove ring from guest physmap");
+
     /* Get platform info */
     xenaccess->platform_info = malloc(sizeof(xc_platform_info_t));
     if ( xenaccess->platform_info == NULL )

diff --git a/tools/xenpaging/xenpaging.c b/tools/xenpaging/xenpaging.c
index b9ba00fa11a68a50a78aeced0e6b1b86c7ccd459..5c1cd81ecc91183b11389872acd16c1259f82962 100644 (file)
--- a/tools/xenpaging/xenpaging.c
+++ b/tools/xenpaging/xenpaging.c
@@ -416,6 +416,11 @@ static struct xenpaging *xenpaging_init(int argc, char *argv[])
                    (mem_event_sring_t *)paging->mem_event.ring_page,
                    PAGE_SIZE);
 
+    /* Now that the ring is set, remove it from the guest's physmap */
+    if ( xc_domain_decrease_reservation_exact(xch, 
+                    paging->mem_event.domain_id, 1, 0, &ring_pfn) )
+        PERROR("Failed to remove ring from guest physmap");
+
     /* Get max_pages from guest if not provided via cmdline */
     if ( !paging->max_pages )
     {