From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [RFC][v3][PATCH 2/6] xen:x86: introduce a new
 hypercall to get RMRR mappings
Date: Fri, 15 Aug 2014 10:46:31 +0100
Message-ID: <53EDD6F7.6000500@citrix.com>
References: <1408091238-18364-1-git-send-email-tiejun.chen@intel.com>
	<1408091238-18364-3-git-send-email-tiejun.chen@intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1408091238-18364-3-git-send-email-tiejun.chen@intel.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Tiejun Chen <tiejun.chen@intel.com>, JBeulich@suse.com, ian.jackson@eu.citrix.com, stefano.stabellini@eu.citrix.com, ian.campbell@citrix.com, yang.z.zhang@intel.com, kevin.tian@intel.com
Cc: xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On 15/08/14 09:27, Tiejun Chen wrote:
> We need this new hypercall to get RMRR mapping for VM.
>
> Signed-off-by: Tiejun Chen <tiejun.chen@intel.com>
> ---
>  xen/arch/x86/x86_64/compat/mm.c |  9 +++++++++
>  xen/include/public/memory.h     | 14 +++++++++++++-
>  2 files changed, 22 insertions(+), 1 deletion(-)
>
> diff --git a/xen/arch/x86/x86_64/compat/mm.c b/xen/arch/x86/x86_64/compat/mm.c
> index 69c6195..ff16f17 100644
> --- a/xen/arch/x86/x86_64/compat/mm.c
> +++ b/xen/arch/x86/x86_64/compat/mm.c
> @@ -132,6 +132,15 @@ int compat_arch_memory_op(unsigned long cmd, XEN_GUEST_HANDLE_PARAM(void) arg)
>          break;
>      }
>  
> +    case XENMEM_reserved_device_memory_map:
> +    {
> +        /* Currently we just need to cover RMRR. */
> +        if ( copy_to_guest(arg, &rmrr_maps, 1) )
> +            return -EFAULT;

This will trivially clobber the hypercaller's stack/heap.

You are not even using the correct indirection of
xen_rmrr_memory_map_t.buffer

You *must* start by copying xen_rmrr_memory_map_t from the guest.

~Andrew

> +
> +        return 0;
> +    }
> +
>      case XENMEM_machphys_mapping:
>      {
>          struct domain *d = current->domain;
> diff --git a/xen/include/public/memory.h b/xen/include/public/memory.h
> index 2c57aa0..13e539f 100644
> --- a/xen/include/public/memory.h
> +++ b/xen/include/public/memory.h
> @@ -523,7 +523,19 @@ DEFINE_XEN_GUEST_HANDLE(xen_mem_sharing_op_t);
>  
>  #endif /* defined(__XEN__) || defined(__XEN_TOOLS__) */
>  
> -/* Next available subop number is 26 */
> +/*
> + * Some devices may reserve some range.
> + *
> + * Currently we just have RMRR
> + * - Reserved memory Region Reporting Structure,
> + * So returns the RMRR memory map as it was when the domain
> + * was started.
> + */
> +#define XENMEM_reserved_device_memory_map   26
> +typedef struct xen_memory_map xen_rmrr_memory_map_t;
> +DEFINE_XEN_GUEST_HANDLE(xen_rmrr_memory_map_t);
> +
> +/* Next available subop number is 27 */
>  
>  #endif /* __XEN_PUBLIC_MEMORY_H__ */
>