From: "Jan Beulich" <JBeulich@suse.com>
To: xen-devel <xen-devel@lists.xenproject.org>
Cc: Ian Campbell <Ian.Campbell@eu.citrix.com>,
Keir Fraser <keir@xen.org>,
Ian Jackson <Ian.Jackson@eu.citrix.com>, Tim Deegan <tim@xen.org>
Subject: [PATCH v2] domctl: tighten XEN_DOMCTL_*_permission
Date: Tue, 06 May 2014 14:08:45 +0100 [thread overview]
Message-ID: <5368FAFD020000780000F610@mail.emea.novell.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 3758 bytes --]
With proper permission (and, for the I/O port case, wrap-around) checks
added (note that for the I/O port case a count of zero is now being
disallowed, in line with I/O memory handling):
XEN_DOMCTL_irq_permission:
XEN_DOMCTL_ioport_permission:
Of both IRQs and I/O ports there is only a reasonably small amount, so
there's no excess resource consumption involved here. Additionally
they both have a specialized XSM hook associated.
XEN_DOMCTL_iomem_permission:
While this also has a specialized XSM hook associated (just like
XEN_DOMCTL_{irq,ioport}_permission), it's not clear whether it's
reasonable to expect XSM to restrict the number of ranges associated
with a domain via this hook (which is the main resource consumption
item here).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v2: Fix off-by-one in XEN_DOMCTL_ioport_permission bounds checking.
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -72,9 +72,7 @@ __HYPERVISOR_domctl (xen/include/public/
* XEN_DOMCTL_getvcpucontext
* XEN_DOMCTL_max_vcpus
* XEN_DOMCTL_scheduler_op
- * XEN_DOMCTL_irq_permission
* XEN_DOMCTL_iomem_permission
- * XEN_DOMCTL_ioport_permission
* XEN_DOMCTL_gethvmcontext
* XEN_DOMCTL_sethvmcontext
* XEN_DOMCTL_set_address_size
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -46,6 +46,8 @@ static int gdbsx_guest_mem_io(
return (iop->remain ? -EFAULT : 0);
}
+#define MAX_IOPORTS 0x10000
+
long arch_do_domctl(
struct xen_domctl *domctl, struct domain *d,
XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
@@ -72,13 +74,11 @@ long arch_do_domctl(
unsigned int np = domctl->u.ioport_permission.nr_ports;
int allow = domctl->u.ioport_permission.allow_access;
- ret = -EINVAL;
- if ( (fp + np) > 65536 )
- break;
-
- if ( np == 0 )
- ret = 0;
- else if ( xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) )
+ if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS )
+ ret = -EINVAL;
+ else if ( !ioports_access_permitted(current->domain,
+ fp, fp + np - 1) ||
+ xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) )
ret = -EPERM;
else if ( allow )
ret = ioports_permit_access(d, fp, fp + np - 1);
@@ -719,7 +719,6 @@ long arch_do_domctl(
case XEN_DOMCTL_ioport_mapping:
{
-#define MAX_IOPORTS 0x10000
struct hvm_iommu *hd;
unsigned int fgp = domctl->u.ioport_mapping.first_gport;
unsigned int fmp = domctl->u.ioport_mapping.first_mport;
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -790,7 +790,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
if ( pirq >= d->nr_pirqs )
ret = -EINVAL;
- else if ( xsm_irq_permission(XSM_HOOK, d, pirq, allow) )
+ else if ( !pirq_access_permitted(current->domain, pirq) ||
+ xsm_irq_permission(XSM_HOOK, d, pirq, allow) )
ret = -EPERM;
else if ( allow )
ret = pirq_permit_access(d, pirq);
@@ -809,7 +810,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */
break;
- if ( xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) )
+ if ( !iomem_access_permitted(current->domain,
+ mfn, mfn + nr_mfns - 1) ||
+ xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) )
ret = -EPERM;
else if ( allow )
ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1);
[-- Attachment #2: domctl-permit-access.patch --]
[-- Type: text/plain, Size: 3795 bytes --]
domctl: tighten XEN_DOMCTL_*_permission
With proper permission (and, for the I/O port case, wrap-around) checks
added (note that for the I/O port case a count of zero is now being
disallowed, in line with I/O memory handling):
XEN_DOMCTL_irq_permission:
XEN_DOMCTL_ioport_permission:
Of both IRQs and I/O ports there is only a reasonably small amount, so
there's no excess resource consumption involved here. Additionally
they both have a specialized XSM hook associated.
XEN_DOMCTL_iomem_permission:
While this also has a specialized XSM hook associated (just like
XEN_DOMCTL_{irq,ioport}_permission), it's not clear whether it's
reasonable to expect XSM to restrict the number of ranges associated
with a domain via this hook (which is the main resource consumption
item here).
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v2: Fix off-by-one in XEN_DOMCTL_ioport_permission bounds checking.
--- a/docs/misc/xsm-flask.txt
+++ b/docs/misc/xsm-flask.txt
@@ -72,9 +72,7 @@ __HYPERVISOR_domctl (xen/include/public/
* XEN_DOMCTL_getvcpucontext
* XEN_DOMCTL_max_vcpus
* XEN_DOMCTL_scheduler_op
- * XEN_DOMCTL_irq_permission
* XEN_DOMCTL_iomem_permission
- * XEN_DOMCTL_ioport_permission
* XEN_DOMCTL_gethvmcontext
* XEN_DOMCTL_sethvmcontext
* XEN_DOMCTL_set_address_size
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -46,6 +46,8 @@ static int gdbsx_guest_mem_io(
return (iop->remain ? -EFAULT : 0);
}
+#define MAX_IOPORTS 0x10000
+
long arch_do_domctl(
struct xen_domctl *domctl, struct domain *d,
XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
@@ -72,13 +74,11 @@ long arch_do_domctl(
unsigned int np = domctl->u.ioport_permission.nr_ports;
int allow = domctl->u.ioport_permission.allow_access;
- ret = -EINVAL;
- if ( (fp + np) > 65536 )
- break;
-
- if ( np == 0 )
- ret = 0;
- else if ( xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) )
+ if ( (fp + np) <= fp || (fp + np) > MAX_IOPORTS )
+ ret = -EINVAL;
+ else if ( !ioports_access_permitted(current->domain,
+ fp, fp + np - 1) ||
+ xsm_ioport_permission(XSM_HOOK, d, fp, fp + np - 1, allow) )
ret = -EPERM;
else if ( allow )
ret = ioports_permit_access(d, fp, fp + np - 1);
@@ -719,7 +719,6 @@ long arch_do_domctl(
case XEN_DOMCTL_ioport_mapping:
{
-#define MAX_IOPORTS 0x10000
struct hvm_iommu *hd;
unsigned int fgp = domctl->u.ioport_mapping.first_gport;
unsigned int fmp = domctl->u.ioport_mapping.first_mport;
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -790,7 +790,8 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
if ( pirq >= d->nr_pirqs )
ret = -EINVAL;
- else if ( xsm_irq_permission(XSM_HOOK, d, pirq, allow) )
+ else if ( !pirq_access_permitted(current->domain, pirq) ||
+ xsm_irq_permission(XSM_HOOK, d, pirq, allow) )
ret = -EPERM;
else if ( allow )
ret = pirq_permit_access(d, pirq);
@@ -809,7 +810,9 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xe
if ( (mfn + nr_mfns - 1) < mfn ) /* wrap? */
break;
- if ( xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) )
+ if ( !iomem_access_permitted(current->domain,
+ mfn, mfn + nr_mfns - 1) ||
+ xsm_iomem_permission(XSM_HOOK, d, mfn, mfn + nr_mfns - 1, allow) )
ret = -EPERM;
else if ( allow )
ret = iomem_permit_access(d, mfn, mfn + nr_mfns - 1);
[-- Attachment #3: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
next reply other threads:[~2014-05-06 13:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-06 13:08 Jan Beulich [this message]
2014-05-08 11:20 ` [PATCH v2] domctl: tighten XEN_DOMCTL_*_permission Tim Deegan
2014-08-15 10:00 ` Andrii Tseglytskyi
2014-08-15 10:36 ` Andrew Cooper
2014-08-15 11:02 ` Andrii Tseglytskyi
2014-08-15 12:02 ` Andrew Cooper
2014-08-15 12:22 ` Andrii Tseglytskyi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5368FAFD020000780000F610@mail.emea.novell.com \
--to=jbeulich@suse.com \
--cc=Ian.Campbell@eu.citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=keir@xen.org \
--cc=tim@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).