From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: [PATCH 2/4] x86: add address validity check to guest_map_l1e() Date: Thu, 10 Oct 2013 14:57:51 +0100 Message-ID: <5256B25F.2070507@citrix.com> References: <5256CC6F02000078000FA3D0@nat28.tlf.novell.com> <5256CDA402000078000FA3E6@nat28.tlf.novell.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8868481790477520310==" Return-path: Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1VUGkW-0003hA-BM for xen-devel@lists.xenproject.org; Thu, 10 Oct 2013 13:57:56 +0000 In-Reply-To: <5256CDA402000078000FA3E6@nat28.tlf.novell.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Jan Beulich Cc: xen-devel , Keir Fraser List-Id: xen-devel@lists.xenproject.org --===============8868481790477520310== Content-Type: multipart/alternative; boundary="------------050109020005070305020704" --------------050109020005070305020704 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit On 10/10/13 14:54, Jan Beulich wrote: > Just like for guest_get_eff_l1e() this prevents accessing as page > tables (and with the wrong memory attribute) internal data inside Xen > happening to be mapped with 1Gb pages. > > Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper > > --- a/xen/include/asm-x86/paging.h > +++ b/xen/include/asm-x86/paging.h > @@ -360,7 +360,8 @@ guest_map_l1e(struct vcpu *v, unsigned l > return paging_get_hostmode(v)->guest_map_l1e(v, addr, gl1mfn); > > /* Find this l1e and its enclosing l1mfn in the linear map */ > - if ( __copy_from_user(&l2e, > + if ( !__addr_ok(addr) || > + __copy_from_user(&l2e, > &__linear_l2_table[l2_linear_offset(addr)], > sizeof(l2_pgentry_t)) != 0 ) > return NULL; > > > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel --------------050109020005070305020704 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit
On 10/10/13 14:54, Jan Beulich wrote:
Just like for guest_get_eff_l1e() this prevents accessing as page
tables (and with the wrong memory attribute) internal data inside Xen
happening to be mapped with 1Gb pages.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper@citrix.com>

--- a/xen/include/asm-x86/paging.h
+++ b/xen/include/asm-x86/paging.h
@@ -360,7 +360,8 @@ guest_map_l1e(struct vcpu *v, unsigned l
         return paging_get_hostmode(v)->guest_map_l1e(v, addr, gl1mfn);
 
     /* Find this l1e and its enclosing l1mfn in the linear map */
-    if ( __copy_from_user(&l2e, 
+    if ( !__addr_ok(addr) ||
+         __copy_from_user(&l2e,
                           &__linear_l2_table[l2_linear_offset(addr)],
                           sizeof(l2_pgentry_t)) != 0 )
         return NULL;






_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--------------050109020005070305020704-- --===============8868481790477520310== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============8868481790477520310==--