From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH v4 3/3] x86/hvm: Use white-lists for HVM param guest accessibility checks Date: Tue, 5 May 2015 17:53:59 +0100 Message-ID: <5548F5A7.4060104@citrix.com> References: <1430840854-25252-1-git-send-email-paul.durrant@citrix.com> <1430840854-25252-4-git-send-email-paul.durrant@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1YpgB9-0001Lw-93 for xen-devel@lists.xenproject.org; Tue, 05 May 2015 16:58:43 +0000 In-Reply-To: <1430840854-25252-4-git-send-email-paul.durrant@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Paul Durrant , xen-devel@lists.xenproject.org Cc: Keir Fraser , Jan Beulich List-Id: xen-devel@lists.xenproject.org On 05/05/15 16:47, Paul Durrant wrote: > There are actually very few HVM parameters that a guest needs to read > and even fewer that a guest needs to write. Use white-lists to specify > those parameters and also ensre that, by default, newly introduced > parameters are not accessible. > > Signed-off-by: Paul Durrant > Cc: Keir Fraser > Cc: Jan Beulich > Cc: Andrew Cooper Reviewed-by: Andrew Cooper > --- > xen/arch/x86/hvm/hvm.c | 37 ++++++++++++++++++++----------------- > 1 file changed, 20 insertions(+), 17 deletions(-) > > diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c > index 03543dd..571809b 100644 > --- a/xen/arch/x86/hvm/hvm.c > +++ b/xen/arch/x86/hvm/hvm.c > @@ -5650,6 +5650,12 @@ static int hvm_allow_set_param(struct domain *d, > > switch ( a->index ) > { > + /* The following parameters can be set by the guest. */ > + case HVM_PARAM_CALLBACK_IRQ: > + case HVM_PARAM_VM86_TSS: > + case HVM_PARAM_ACPI_IOPORTS_LOCATION: > + case HVM_PARAM_VM_GENERATION_ID_ADDR: > + break; > /* > * The following parameters must not be set by the guest > * since the domain may need to be paused. > @@ -5657,21 +5663,11 @@ static int hvm_allow_set_param(struct domain *d, > case HVM_PARAM_IDENT_PT: > case HVM_PARAM_DM_DOMAIN: > case HVM_PARAM_ACPI_S_STATE: > - /* The following parameters should not be set by the guest. */ > - case HVM_PARAM_VIRIDIAN: > - case HVM_PARAM_MEMORY_EVENT_CR0: > - case HVM_PARAM_MEMORY_EVENT_CR3: > - case HVM_PARAM_MEMORY_EVENT_CR4: > - case HVM_PARAM_MEMORY_EVENT_INT3: > - case HVM_PARAM_MEMORY_EVENT_SINGLE_STEP: > - case HVM_PARAM_MEMORY_EVENT_MSR: > - case HVM_PARAM_IOREQ_SERVER_PFN: > - case HVM_PARAM_NR_IOREQ_SERVER_PAGES: > + /* The remaining parameters should not be set by the guest. */ > + default: > if ( d == current->domain ) > rc = -EPERM; > break; > - default: > - break; > } > > if ( rc ) > @@ -5874,6 +5870,16 @@ static int hvm_allow_get_param(struct domain *d, > > switch ( a->index ) > { > + /* The following parameters can be read by the guest. */ > + case HVM_PARAM_CALLBACK_IRQ: > + case HVM_PARAM_VM86_TSS: > + case HVM_PARAM_ACPI_IOPORTS_LOCATION: > + case HVM_PARAM_VM_GENERATION_ID_ADDR: > + case HVM_PARAM_STORE_PFN: > + case HVM_PARAM_STORE_EVTCHN: > + case HVM_PARAM_CONSOLE_PFN: > + case HVM_PARAM_CONSOLE_EVTCHN: > + break; > /* > * The following parameters must not be read by the guest > * since the domain may need to be paused. > @@ -5881,14 +5887,11 @@ static int hvm_allow_get_param(struct domain *d, > case HVM_PARAM_IOREQ_PFN: > case HVM_PARAM_BUFIOREQ_PFN: > case HVM_PARAM_BUFIOREQ_EVTCHN: > - /* The following parameters should not be read by the guest. */ > - case HVM_PARAM_IOREQ_SERVER_PFN: > - case HVM_PARAM_NR_IOREQ_SERVER_PAGES: > + /* The remaining parameters should not be read by the guest. */ > + default: > if ( d == current->domain ) > rc = -EPERM; > break; > - default: > - break; > } > > return rc;