diff options
author | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-11-14 11:40:45 +0000 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-11-14 11:40:45 +0000 |
commit | 9070a6ef041756341286e88e7fad7de3e01c66f9 (patch) | |
tree | 2d806eb8e96421cacfde4416158e8605a1eb0c5d | |
parent | 50d1a7fea0a60cd66733cfd8666a95f00d586549 (diff) | |
download | xen-9070a6ef041756341286e88e7fad7de3e01c66f9.tar.gz xen-9070a6ef041756341286e88e7fad7de3e01c66f9.tar.bz2 xen-9070a6ef041756341286e88e7fad7de3e01c66f9.zip |
x86/physmap: Prevent incorrect updates of m2p mappings
In certain conditions, such as low memory, set_p2m_entry() can fail.
Currently, the p2m and m2p tables will get out of sync because we still
update the m2p table after the p2m update has failed.
If that happens, subsequent guest-invoked memory operations can cause
BUG()s and ASSERT()s to kill Xen.
This is fixed by only updating the m2p table iff the p2m was
successfully updated.
This is a security problem, XSA-22 / CVE-2012-4537.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
-rw-r--r-- | xen/arch/x86/mm/p2m.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 82e1b55f81..f494d2541d 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -2558,7 +2558,10 @@ guest_physmap_add_entry(struct p2m_domain *p2m, unsigned long gfn, if ( mfn_valid(_mfn(mfn)) ) { if ( !set_p2m_entry(p2m, gfn, _mfn(mfn), page_order, t, p2m->default_access) ) + { rc = -EINVAL; + goto out; /* Failed to update p2m, bail without updating m2p. */ + } if ( !p2m_is_grant(t) ) { for ( i = 0; i < (1UL << page_order); i++ ) @@ -2579,6 +2582,7 @@ guest_physmap_add_entry(struct p2m_domain *p2m, unsigned long gfn, } } +out: audit_p2m(p2m, 1); p2m_unlock(p2m); |