From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH 1/3] x86: tighten page table owner checking
 in do_mmu_update()
Date: Thu, 20 Nov 2014 10:29:46 +0000
Message-ID: <546DC29A.4070301@citrix.com>
References: <546DCAB102000078000493E0@smtp.nue.novell.com>
	<546DCC7202000078000493F0@smtp.nue.novell.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4615693742964800841=="
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta14.messagelabs.com ([193.109.254.103])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <Andrew.Cooper3@citrix.com>) id 1XrOzp-00081y-A2
	for xen-devel@lists.xenproject.org; Thu, 20 Nov 2014 10:29:53 +0000
In-Reply-To: <546DCC7202000078000493F0@smtp.nue.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>, xen-devel <xen-devel@lists.xenproject.org>
Cc: Keir Fraser <keir@xen.org>, Tim Deegan <tim@xen.org>
List-Id: xen-devel@lists.xenproject.org

--===============4615693742964800841==
Content-Type: multipart/alternative;
	boundary="------------090405090003080301010406"

--------------090405090003080301010406
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit

On 20/11/14 10:11, Jan Beulich wrote:
> MMU_MACHPHYS_UPDATE, not manipulating page tables, shouldn't ignore
> a bad page table domain being specified.
>
> Also pt_owner can't be NULL when reaching the "out" label, so the
> respective check can be dropped.

Yes it can.

Failing

    if ( (pg_owner = get_pg_owner((uint16_t)foreigndom)) == NULL )
    {
        rc = -ESRCH;
        goto out;
    }

around line 3462 will cause pt_owner to be NULL at the out label.

~Andrew

>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> Acked-by: Tim Deegan <tim@xen.org>
>
> --- a/xen/arch/x86/mm.c
> +++ b/xen/arch/x86/mm.c
> @@ -3618,6 +3618,11 @@ long do_mmu_update(
>          break;
>  
>          case MMU_MACHPHYS_UPDATE:
> +            if ( unlikely(d != pt_owner) )
> +            {
> +                rc = -EPERM;
> +                break;
> +            }
>  
>              mfn = req.ptr >> PAGE_SHIFT;
>              gpfn = req.val;
> @@ -3694,7 +3699,7 @@ long do_mmu_update(
>      perfc_add(num_page_updates, i);
>  
>   out:
> -    if ( pt_owner && (pt_owner != d) )
> +    if ( pt_owner != d )
>          rcu_unlock_domain(pt_owner);
>  
>      /* Add incremental work we have done to the @done output parameter. */
>
>
>
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel


--------------090405090003080301010406
Content-Type: text/html; charset="windows-1252"
Content-Length: 2517
Content-Transfer-Encoding: quoted-printable

<html>
  <head>
    <meta content=3D"text/html; charset=3Dwindows-1252"
      http-equiv=3D"Content-Type">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix">On 20/11/14 10:11, Jan Beulich wrote:<br>
    </div>
    <blockquote cite=3D"mid:546DCC7202000078000493F0@smtp.nue.novell.com"
      type=3D"cite">
      <pre wrap=3D"">MMU_MACHPHYS_UPDATE, not manipulating page tables, shouldn't ignore
a bad page table domain being specified.

Also pt_owner can't be NULL when reaching the "out" label, so the
respective check can be dropped.</pre>
    </blockquote>
    <br>
    Yes it can.<br>
    <br>
    Failing <br>
    <br>
    =A0=A0=A0 if ( (pg_owner =3D get_pg_owner((uint16_t)foreigndom)) =3D=3D NULL )<br>
    =A0=A0=A0 {<br>
    =A0=A0=A0=A0=A0=A0=A0 rc =3D -ESRCH;<br>
    =A0=A0=A0=A0=A0=A0=A0 goto out;<br>
    =A0=A0=A0 }<br>
    <br>
    around line 3462 will cause pt_owner to be NULL at the out label.<br>
    <br>
    ~Andrew<br>
    <br>
    <blockquote cite=3D"mid:546DCC7202000078000493F0@smtp.nue.novell.com"
      type=3D"cite">
      <pre wrap=3D"">

Signed-off-by: Jan Beulich <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:jbeulich@suse.com">&lt;jbeulich@suse.com&gt;</a>
Acked-by: Tim Deegan <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:tim@xen.org">&lt;tim@xen.org&gt;</a>

--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -3618,6 +3618,11 @@ long do_mmu_update(
         break;
 
         case MMU_MACHPHYS_UPDATE:
+            if ( unlikely(d !=3D pt_owner) )
+            {
+                rc =3D -EPERM;
+                break;
+            }
 
             mfn =3D req.ptr &gt;&gt; PAGE_SHIFT;
             gpfn =3D req.val;
@@ -3694,7 +3699,7 @@ long do_mmu_update(
     perfc_add(num_page_updates, i);
 
  out:
-    if ( pt_owner &amp;&amp; (pt_owner !=3D d) )
+    if ( pt_owner !=3D d )
         rcu_unlock_domain(pt_owner);
 
     /* Add incremental work we have done to the @done output parameter. */



</pre>
      <br>
      <fieldset class=3D"mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap=3D"">_______________________________________________
Xen-devel mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:Xen-devel@lists.xen.org">Xen-devel@lists.xen.org</a>
<a class=3D"moz-txt-link-freetext" href=3D"http://lists.xen.org/xen-devel">http://lists.xen.org/xen-devel</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------090405090003080301010406--


--===============4615693742964800841==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--===============4615693742964800841==--