xen-ia64-devel

[Top] [All Lists]

[Xen-ia64-devel] [PATCH][Linux] fix vulnerability of privcmd_mmap

from [Kouya Shimura]

[Permanent Link][Original]

To:	xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-ia64-devel] [PATCH][Linux] fix vulnerability of privcmd_mmap
From:	Kouya Shimura <kouya@xxxxxxxxxxxxxx>
Date:	Thu, 21 Feb 2008 17:42:44 +0900
Delivery-date:	Thu, 21 Feb 2008 00:43:20 -0800
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-ia64-devel-request@lists.xensource.com?subject=help>
List-id:	Discussion of the ia64 port of Xen <xen-ia64-devel.lists.xensource.com>
List-post:	<mailto:xen-ia64-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-ia64-devel>, <mailto:xen-ia64-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-ia64-devel>, <mailto:xen-ia64-devel-request@lists.xensource.com?subject=unsubscribe>
Sender:	xen-ia64-devel-bounces@xxxxxxxxxxxxxxxxxxx

Hi,

empty_zero_page can be polluted by writing to a page
through privcmd_mmap(). 
i.e. a user program can hang a privileged domain (dom0),
although root privilege is required.

An attached patch fixes it. resetting the VM_PFNMAP flag
is a little bit kludge. Is there any better solution?

After this patch is applied, other patches to Qemu become
necessary to create a HVM domain. I'll post them later.

Thanks,
Kouya

Signed-off-by: Kouya Shimura <kouya@xxxxxxxxxxxxxx>

diff -r 65a419f81336 arch/ia64/xen/hypervisor.c
--- a/arch/ia64/xen/hypervisor.c        Tue Feb 19 11:22:24 2008 -0700
+++ b/arch/ia64/xen/hypervisor.c        Thu Feb 21 15:58:39 2008 +0900
@@ -653,6 +653,12 @@ xen_ia64_privcmd_entry_mmap(struct vm_ar
 
        prot = vma->vm_page_prot;
        error = remap_pfn_range(vma, addr, gpfn, 1 << PAGE_SHIFT, prot);
+       /*
+        * VM_PFNMAP is set in remap_pfn_range().
+        * Reset the flag to avoid BUG_ON() in do_no_page().
+        */
+       vma->vm_flags &= ~VM_PFNMAP;
+
        if (error != 0) {
                error = HYPERVISOR_zap_physmap(gpfn, 0);
                if (error)
@@ -706,9 +712,18 @@ static void xen_ia64_privcmd_vma_open(st
 static void xen_ia64_privcmd_vma_open(struct vm_area_struct *vma);
 static void xen_ia64_privcmd_vma_close(struct vm_area_struct *vma);
 
+static struct page *
+xen_ia64_privcmd_vma_nopage(struct vm_area_struct *vma,
+                           unsigned long address,
+                           int *type)
+{
+       return NOPAGE_SIGBUS;
+}
+
 struct vm_operations_struct xen_ia64_privcmd_vm_ops = {
-       .open = &xen_ia64_privcmd_vma_open,
-       .close = &xen_ia64_privcmd_vma_close,
+       .open = xen_ia64_privcmd_vma_open,
+       .close = xen_ia64_privcmd_vma_close,
+       .nopage = xen_ia64_privcmd_vma_nopage
 };
 
 static void
@@ -832,7 +847,7 @@ privcmd_mmap(struct file * file, struct 
        privcmd_range->res = res;
 
        /* DONTCOPY is essential for Xen as copy_page_range is broken. */
-       vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY | VM_PFNMAP;
+       vma->vm_flags |= VM_RESERVED | VM_IO | VM_DONTCOPY;
 
        atomic_set(&privcmd_range->ref_count, 1);
        privcmd_range->pgoff = vma->vm_pgoff;

_______________________________________________
Xen-ia64-devel mailing list
Xen-ia64-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-ia64-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-ia64-devel] [PATCH][Linux] fix vulnerability of privcmd_mmap, Kouya Shimura <= Re: [Xen-ia64-devel] [PATCH][Linux] fix vulnerability of privcmd_mmap, Alex Williamson

Previous by Date:	RE: [Xen-ia64-devel] Open GFW for RHEL release., Yang, Fred
Next by Date:	[Xen-devel] [PATCH 02/11] xen: add missing VIRQ_ARCH_definitions which ia64/xen needs., yamahata
Previous by Thread:	[Xen-ia64-devel] [PATCH][Open GFW] Remove annoying debug messages on a serial console, Kouya Shimura
Next by Thread:	Re: [Xen-ia64-devel] [PATCH][Linux] fix vulnerability of privcmd_mmap, Alex Williamson
Indexes:	[Date] [Thread] [Top] [All Lists]