# HG changeset patch # User Alex Williamson # Date 1197653103 25200 # Node ID e6069a715fd7ef15bb72f5c17e8e7db4e8128f32 # Parent a7ede5cb628a03c0afeaf8fbea4268995ea8eccf [IA64] Fix vulnerability of copy_to_user in PAL emulation There is a security vulnerability in PAL emulation since alt-dtlb miss handler of HVM absolutely inserts a identity-mapped TLB when psr.vm=0. HVM guest can access an arbitrary machine physical memory with this security hole. Actually windows 2008 destroys the content of machine physical address 0x108000. I think this patch is enough for normal usage. Please see SDM Vol2 11.10.2.1.3 "Making PAL Procedure Calls in Physical or Virtual Mode". If the caller has a responsibility of providing DTR or DTC mapping, xencomm for PAL might be unnecessary. I confirmed there is no problem in linux, windows 2003, windows 2008 with this patch. As for PV domain, the same logic can't be used due to only one vTLB. This patch only checks that the buffer never points VMM address, that would avoid the vulnerability. Signed-off-by: Kouya Shimura xen-unstable changeset: 16622:e6069a715fd7ef15bb72f5c17e8e7db4e8128f32 xen-unstable date: Fri Dec 14 10:25:03 2007 -0700 diff -r a7ede5cb628a -r e6069a715fd7 xen/arch/ia64/xen/fw_emul.c --- a/xen/arch/ia64/xen/fw_emul.c Fri Dec 14 10:12:40 2007 -0700 +++ b/xen/arch/ia64/xen/fw_emul.c Fri Dec 14 10:25:03 2007 -0700 @@ -37,6 +37,7 @@ #include #include #include +#include static DEFINE_SPINLOCK(efi_time_services_lock); @@ -568,6 +569,45 @@ sal_emulator (long index, unsigned long break; } return ((struct sal_ret_values) {status, r9, r10, r11}); +} + +static int +safe_copy_to_guest(unsigned long to, void *from, long size) +{ + BUG_ON((unsigned)size > PAGE_SIZE); + + if (VMX_DOMAIN(current)) { + if (is_virtual_mode(current)) { + thash_data_t *data; + unsigned long gpa, poff; + + /* The caller must provide a DTR or DTC mapping */ + data = vtlb_lookup(current, to, DSIDE_TLB); + if (data) { + gpa = data->page_flags & _PAGE_PPN_MASK; + } else { + data = vhpt_lookup(to); + if (!data) + return -1; + gpa = __mpa_to_gpa( + data->page_flags & _PAGE_PPN_MASK); + gpa &= _PAGE_PPN_MASK; + } + poff = POFFSET(to, data->ps); + if (poff + size > PSIZE(data->ps)) + return -1; + to = PAGEALIGN(gpa, data->ps) | poff; + } + to |= XENCOMM_INLINE_FLAG; + if (xencomm_copy_to_guest((void *)to, from, size, 0) != 0) + return -1; + return 0; + } else { + /* check for vulnerability */ + if (IS_VMM_ADDRESS(to) || IS_VMM_ADDRESS(to + size - 1)) + panic_domain(NULL, "copy to bad address:0x%lx\n", to); + return copy_to_user((void __user *)to, from, size); + } } cpumask_t cpu_cache_coherent_map; @@ -805,16 +845,13 @@ xen_pal_emulator(unsigned long index, u6 pm_buffer, (pal_perf_mon_info_u_t *) &r9); if (status != 0) { - while(1) printk("PAL_PERF_MON_INFO fails ret=%ld\n", status); break; } - if (copy_to_user((void __user *)in1,pm_buffer,128)) { - while(1) - printk("xen_pal_emulator: PAL_PERF_MON_INFO " - "can't copy to user!!!!\n"); - status = PAL_STATUS_UNIMPLEMENTED; - break; + if (safe_copy_to_guest( + in1, pm_buffer, sizeof(pm_buffer))) { + status = PAL_STATUS_EINVAL; + goto fail_to_copy; } } break; @@ -837,10 +874,11 @@ xen_pal_emulator(unsigned long index, u6 consumes 10 mW, implemented and cache/TLB coherent. */ unsigned long res = 1000UL | (1000UL << 16) | (10UL << 32) | (1UL << 61) | (1UL << 60); - if (copy_to_user ((void *)in1, &res, sizeof (res))) + if (safe_copy_to_guest (in1, &res, sizeof (res))) { status = PAL_STATUS_EINVAL; - else - status = PAL_STATUS_SUCCESS; + goto fail_to_copy; + } + status = PAL_STATUS_SUCCESS; } break; case PAL_HALT: @@ -901,6 +944,12 @@ xen_pal_emulator(unsigned long index, u6 printk("%s: Unimplemented PAL Call %lu\n", __func__, index); break; } + return ((struct ia64_pal_retval) {status, r9, r10, r11}); + +fail_to_copy: + gdprintk(XENLOG_WARNING, + "PAL(%ld) fail to copy!!! args 0x%lx 0x%lx 0x%lx\n", + index, in1, in2, in3); return ((struct ia64_pal_retval) {status, r9, r10, r11}); }