xsa92.patch

   1 x86/HVM: restrict HVMOP_set_mem_type
   2
   3 Permitting arbitrary type changes here has the potential of creating
   4 present P2M (and hence EPT/NPT/IOMMU) entries pointing to an invalid
   5 MFN (INVALID_MFN truncated to the respective hardware structure field's
   6 width). This would become a problem the latest when something real sat
   7 at the end of the physical address space; I'm suspecting though that
   8 other things might break with such bogus entries.
   9
  10 Along with that drop a bogus (and otherwise becoming stale) log
  11 message.
  12
  13 Afaict the similar operation in p2m_set_mem_access() is safe.
  14
  15 This is XSA-92.
  16
  17 Signed-off-by: Jan Beulich <jbeulich@suse.com>
  18 Reviewed-by: Tim Deegan <tim@xen.org>
  19
  20 --- a/xen/arch/x86/hvm/hvm.c
  21 +++ b/xen/arch/x86/hvm/hvm.c
  22 @@ -4541,12 +4541,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
  23                  rc = -EINVAL;
  24                  goto param_fail4;
  25              }
  26 -            if ( p2m_is_grant(t) )
  27 +            if ( !p2m_is_ram(t) &&
  28 +                 (!p2m_is_hole(t) || a.hvmmem_type != HVMMEM_mmio_dm) )
  29              {
  30                  put_gfn(d, pfn);
  31 -                gdprintk(XENLOG_WARNING,
  32 -                         "type for pfn %#lx changed to grant while "
  33 -                         "we were working?\n", pfn);
  34                  goto param_fail4;
  35              }
  36              else