diff options
| author | Jan Beulich <jbeulich@suse.com> | 2012-09-11 14:17:49 +0200 |
|---|---|---|
| committer | Jan Beulich <jbeulich@suse.com> | 2012-09-11 14:17:49 +0200 |
| commit | 09d39e0108811d6bfe1ab7f819b951ea0b1611d7 (patch) | |
| tree | 7f49ed16cb84729ab6a78a5491315dcfef0cc59a /xen/include/xen/tmem_xen.h | |
| parent | 3fed6db242883d824ab41c00920e0c96c058f3aa (diff) | |
| download | xen-09d39e0108811d6bfe1ab7f819b951ea0b1611d7.tar.gz xen-09d39e0108811d6bfe1ab7f819b951ea0b1611d7.tar.bz2 xen-09d39e0108811d6bfe1ab7f819b951ea0b1611d7.zip | |
tmem: don't access guest memory without using the accessors intended for this
This is not permitted, not even for buffers coming from Dom0 (and it
would also break the moment Dom0 runs in HVM mode). An implication from
the changes here is that tmh_copy_page() can't be used anymore for
control operations calling tmh_copy_{from,to}_client() (as those pass
the buffer by virtual address rather than MFN).
Note that tmemc_save_get_next_page() previously didn't set the returned
handle's pool_id field, while the new code does. It need to be
confirmed that this is not a problem (otherwise the copy-out operation
will require further tmh_...() abstractions to be added).
Further note that the patch removes (rather than adjusts) an invalid
call to unmap_domain_page() (no matching map_domain_page()) from
tmh_compress_from_client() and adds a missing one to an error return
path in tmh_copy_from_client().
Finally note that the patch adds a previously missing return statement
to cli_get_page() (without which that function could de-reference a
NULL pointer, triggerable from guest mode).
This is part of XSA-15 / CVE-2012-3497.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Dan Magenheimer <dan.magenheimer@oracle.com>
Diffstat (limited to 'xen/include/xen/tmem_xen.h')
| -rw-r--r-- | xen/include/xen/tmem_xen.h | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/xen/include/xen/tmem_xen.h b/xen/include/xen/tmem_xen.h index 4a357605f5..5509ea0463 100644 --- a/xen/include/xen/tmem_xen.h +++ b/xen/include/xen/tmem_xen.h @@ -482,27 +482,33 @@ static inline int tmh_get_tmemop_from_client(tmem_op_t *op, tmem_cli_op_t uops) return copy_from_guest(op, uops, 1); } +#define tmh_cli_buf_null guest_handle_from_ptr(NULL, char) + static inline void tmh_copy_to_client_buf_offset(tmem_cli_va_t clibuf, int off, char *tmembuf, int len) { copy_to_guest_offset(clibuf,off,tmembuf,len); } +#define tmh_copy_to_client_buf(clibuf, tmembuf, cnt) \ + copy_to_guest(guest_handle_cast(clibuf, void), tmembuf, cnt) + +#define tmh_client_buf_add guest_handle_add_offset + #define TMH_CLI_ID_NULL ((cli_id_t)((domid_t)-1L)) #define tmh_cli_id_str "domid" #define tmh_client_str "domain" -extern int tmh_decompress_to_client(tmem_cli_mfn_t,void*,size_t,void*); +int tmh_decompress_to_client(tmem_cli_mfn_t, void *, size_t, tmem_cli_va_t); -extern int tmh_compress_from_client(tmem_cli_mfn_t,void**,size_t *,void*); +int tmh_compress_from_client(tmem_cli_mfn_t, void **, size_t *, tmem_cli_va_t); -extern int tmh_copy_from_client(pfp_t *pfp, - tmem_cli_mfn_t cmfn, pagesize_t tmem_offset, - pagesize_t pfn_offset, pagesize_t len, void *cva); +int tmh_copy_from_client(pfp_t *, tmem_cli_mfn_t, pagesize_t tmem_offset, + pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t); -extern int tmh_copy_to_client(tmem_cli_mfn_t cmfn, pfp_t *pfp, - pagesize_t tmem_offset, pagesize_t pfn_offset, pagesize_t len, void *cva); +int tmh_copy_to_client(tmem_cli_mfn_t, pfp_t *, pagesize_t tmem_offset, + pagesize_t pfn_offset, pagesize_t len, tmem_cli_va_t); extern int tmh_copy_tze_to_client(tmem_cli_mfn_t cmfn, void *tmem_va, pagesize_t len); |