WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-3.1-testing] [IA64] Fix vulnerability of copy_to_us

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-3.1-testing] [IA64] Fix vulnerability of copy_to_user in PAL emulation
From: "Xen patchbot-3.1-testing" <patchbot-3.1-testing@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Dec 2007 08:30:20 -0800
Delivery-date: Wed, 19 Dec 2007 08:30:21 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1198058188 0
# Node ID 9b339298c9000cf74224ba91e63cc4d1ff2d4a9b
# Parent  6fa132f918c356401b24a394963cdb55c67fa919
[IA64] Fix vulnerability of copy_to_user in PAL emulation

There is a security vulnerability in PAL emulation since alt-dtlb
miss handler of HVM absolutely inserts a identity-mapped TLB when
psr.vm=0.  HVM guest can access an arbitrary machine physical
memory with this security hole.  Actually windows 2008 destroys
the content of machine physical address 0x108000.

I think this patch is enough for normal usage.  Please see SDM
Vol2 11.10.2.1.3 "Making PAL Procedure Calls in Physical or
Virtual Mode".  If the caller has a responsibility of providing
DTR or DTC mapping, xencomm for PAL might be unnecessary.

I confirmed there is no problem in linux, windows 2003, windows
2008 with this patch.

As for PV domain, the same logic can't be used due to only one
vTLB. This patch only checks that the buffer never points VMM
address, that would avoid the vulnerability.

Signed-off-by: Kouya Shimura <kouya@xxxxxxxxxxxxxx>
xen-unstable changeset:   16622:e6069a715fd7ef15bb72f5c17e8e7db4e8128f32
xen-unstable date:        Fri Dec 14 10:25:03 2007 -0700
---
 xen/arch/ia64/xen/fw_emul.c |   64 +++++++++++++++++++++++++++++++++++++-------
 1 files changed, 54 insertions(+), 10 deletions(-)

diff -r 6fa132f918c3 -r 9b339298c900 xen/arch/ia64/xen/fw_emul.c
--- a/xen/arch/ia64/xen/fw_emul.c       Sat Dec 15 19:03:44 2007 +0000
+++ b/xen/arch/ia64/xen/fw_emul.c       Wed Dec 19 09:56:28 2007 +0000
@@ -35,6 +35,7 @@
 #include <xen/hypercall.h>
 #include <xen/softirq.h>
 #include <xen/time.h>
+#include <asm/vmx_phy_mode.h>
 
 static DEFINE_SPINLOCK(efi_time_services_lock);
 
@@ -444,6 +445,45 @@ sal_emulator (long index, unsigned long 
                break;
        }
        return ((struct sal_ret_values) {status, r9, r10, r11});
+}
+
+static int
+safe_copy_to_guest(unsigned long to, void *from, long size)
+{
+       BUG_ON((unsigned)size > PAGE_SIZE);
+
+       if (VMX_DOMAIN(current)) {
+               if (is_virtual_mode(current)) {
+                       thash_data_t *data;
+                       unsigned long gpa, poff;
+
+                       /* The caller must provide a DTR or DTC mapping */
+                       data = vtlb_lookup(current, to, DSIDE_TLB);
+                       if (data) {
+                               gpa = data->page_flags & _PAGE_PPN_MASK;
+                       } else {
+                               data = vhpt_lookup(to);
+                               if (!data)
+                                       return -1;
+                               gpa = __mpa_to_gpa(
+                                       data->page_flags & _PAGE_PPN_MASK);
+                               gpa &= _PAGE_PPN_MASK;
+                       }
+                       poff = POFFSET(to, data->ps);
+                       if (poff + size > PSIZE(data->ps))
+                               return -1;
+                       to = PAGEALIGN(gpa, data->ps) | poff;
+               }
+               to |= XENCOMM_INLINE_FLAG;
+               if (xencomm_copy_to_guest((void *)to, from, size, 0) != 0)
+                       return -1;
+               return 0;
+       } else {
+               /* check for vulnerability */
+               if (IS_VMM_ADDRESS(to) || IS_VMM_ADDRESS(to + size - 1))
+                       panic_domain(NULL, "copy to bad address:0x%lx\n", to);
+               return copy_to_user((void __user *)to, from, size);
+       }
 }
 
 cpumask_t cpu_cache_coherent_map;
@@ -682,16 +722,13 @@ xen_pal_emulator(unsigned long index, u6
                                        pm_buffer,
                                        (pal_perf_mon_info_u_t *) &r9);
                        if (status != 0) {
-                               while(1)
                                printk("PAL_PERF_MON_INFO fails ret=%ld\n", 
status);
                                break;
                        }
-                       if (copy_to_user((void __user *)in1,pm_buffer,128)) {
-                               while(1)
-                               printk("xen_pal_emulator: PAL_PERF_MON_INFO "
-                                       "can't copy to user!!!!\n");
-                               status = PAL_STATUS_UNIMPLEMENTED;
-                               break;
+                       if (safe_copy_to_guest(
+                               in1, pm_buffer, sizeof(pm_buffer))) {
+                               status = PAL_STATUS_EINVAL;
+                               goto fail_to_copy;
                        }
                }
                break;
@@ -713,10 +750,11 @@ xen_pal_emulator(unsigned long index, u6
                       consumes 10 mW, implemented and cache/TLB coherent.  */
                    unsigned long res = 1000UL | (1000UL << 16) | (10UL << 32)
                            | (1UL << 61) | (1UL << 60);
-                   if (copy_to_user ((void *)in1, &res, sizeof (res)))
+                   if (safe_copy_to_guest (in1, &res, sizeof (res))) {
                            status = PAL_STATUS_EINVAL;    
-                   else
-                           status = PAL_STATUS_SUCCESS;
+                           goto fail_to_copy;
+                   }
+                   status = PAL_STATUS_SUCCESS;
                }
                break;
            case PAL_HALT:
@@ -746,6 +784,12 @@ xen_pal_emulator(unsigned long index, u6
                                index);
                break;
        }
+       return ((struct ia64_pal_retval) {status, r9, r10, r11});
+
+fail_to_copy:
+       gdprintk(XENLOG_WARNING,
+               "PAL(%ld) fail to copy!!! args 0x%lx 0x%lx 0x%lx\n",
+               index, in1, in2, in3);
        return ((struct ia64_pal_retval) {status, r9, r10, r11});
 }
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-3.1-testing] [IA64] Fix vulnerability of copy_to_user in PAL emulation, Xen patchbot-3.1-testing <=