File 56a0f4f2-x86-constrain-MFN-range-Dom0-may-access.patch of Package xen.11298

# Commit 53de839fb40936c074213a0c400e3c959e4ec461
# Date 2016-01-21 16:10:42 +0100
# Author Jan Beulich <jbeulich@suse.com>
# Committer Jan Beulich <jbeulich@suse.com>
x86: constrain MFN range Dom0 may access

... to that covered by the physical address width supported by the
processor. This implicitly avoids Dom0 (accidentally or due to some
kind of abuse) passing out of range addresses to a guest, which in
turn eliminates this only possibility for PV guests to create PTEs
with one or more reserved bits set.

Note that this is not a security issue due to XSA-77.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

Index: xen-4.5.5-testing/xen/arch/x86/domain_build.c
===================================================================
--- xen-4.5.5-testing.orig/xen/arch/x86/domain_build.c
+++ xen-4.5.5-testing/xen/arch/x86/domain_build.c
@@ -1437,7 +1437,7 @@ int __init construct_dom0(
 
     /* The hardware domain is initially permitted full I/O capabilities. */
     rc |= ioports_permit_access(d, 0, 0xFFFF);
-    rc |= iomem_permit_access(d, 0UL, ~0UL);
+    rc |= iomem_permit_access(d, 0UL, (1UL << (paddr_bits - PAGE_SHIFT)) - 1);
     rc |= irqs_permit_access(d, 1, nr_irqs_gsi - 1);
 
     /*
Index: xen-4.5.5-testing/xen/arch/x86/mm.c
===================================================================
--- xen-4.5.5-testing.orig/xen/arch/x86/mm.c
+++ xen-4.5.5-testing/xen/arch/x86/mm.c
@@ -4569,7 +4569,7 @@ struct memory_map_context
 static int _handle_iomem_range(unsigned long s, unsigned long e,
                                struct memory_map_context *ctxt)
 {
-    if ( s > ctxt->s )
+    if ( s > ctxt->s && !(s >> (paddr_bits - PAGE_SHIFT)) )
     {
         e820entry_t ent;
         XEN_GUEST_HANDLE_PARAM(e820entry_t) buffer_param;