[PATCH v3 4/4] x86/hvm: add stricter permissions checks to ioreq server control plane

From: Paul Durrant <paul.durrant@citrix.com>
To: xen-devel@lists.xenproject.org
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
	Paul Durrant <paul.durrant@citrix.com>
Subject: [PATCH v3 4/4] x86/hvm: add stricter permissions checks to ioreq server control plane
Date: Tue, 20 Mar 2018 18:05:25 +0000	[thread overview]
Message-ID: <20180320180525.28605-5-paul.durrant@citrix.com> (raw)
In-Reply-To: <20180320180525.28605-1-paul.durrant@citrix.com>

There has always been an intention in the ioreq server API that only the
domain that creates an ioreq server should be able to manipulate it.
However, so far, nothing has enforced this. This means that two domains
with DM_PRIV over a target domain can currently manipulate each others
ioreq servers.

A previous patch added code to take a reference and store a pointer to the
domain that creates an ioreq server. This patch now adds checks to the
functions that manipulate the ioreq server to make sure they are being
called by the same domain.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
---
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
---
 xen/arch/x86/hvm/ioreq.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
index fecabb96a9..44d029499d 100644
--- a/xen/arch/x86/hvm/ioreq.c
+++ b/xen/arch/x86/hvm/ioreq.c
@@ -757,6 +757,10 @@ int hvm_destroy_ioreq_server(struct domain *d, ioservid_t id)
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         domain_pause(d);
 
         p2m_set_ioreq_server(d, 0, s);
@@ -801,6 +805,10 @@ int hvm_get_ioreq_server_info(struct domain *d, ioservid_t id,
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         *ioreq_gfn = s->ioreq.gfn;
 
         if ( s->bufioreq.va != NULL )
@@ -843,6 +851,10 @@ int hvm_map_io_range_to_ioreq_server(struct domain *d, ioservid_t id,
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         switch ( type )
         {
         case XEN_DMOP_IO_RANGE_PORT:
@@ -898,6 +910,10 @@ int hvm_unmap_io_range_from_ioreq_server(struct domain *d, ioservid_t id,
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         switch ( type )
         {
         case XEN_DMOP_IO_RANGE_PORT:
@@ -961,6 +977,10 @@ int hvm_map_mem_type_to_ioreq_server(struct domain *d, ioservid_t id,
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         rc = p2m_set_ioreq_server(d, flags, s);
         break;
     }
@@ -1000,6 +1020,10 @@ int hvm_set_ioreq_server_state(struct domain *d, ioservid_t id,
         if ( s->id != id )
             continue;
 
+        rc = -EPERM;
+        if ( s->emulator != current->domain )
+            break;
+
         domain_pause(d);
 
         if ( enabled )
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
