File xen-grant-table-operations-security.patch of Package kernel

Date: Thu, 19 Oct 2006 12:47:51 -0400
From: Rik van Riel <riel@redhat.com>
Subject: [RHEL5 Xen] Grant table operations security patch

This patch by Herbert Xu fixes a security issue in the hypervisor,
which would allow a malicious guest to access a freed grant table
page after freeing and possibly having it reallocated to another
guest.

Since this is a security bug, it needs to be applied ASAP and has
been approved for inclusion in Beta 2.  I have tested this patch
with FV and PV domains.

This patch fixes bug #210489


-- 
Who do you trust?
The people with all the right answers?
Or the people with the right questions?

diff -r a5a3f48e92c9 xen/common/grant_table.c
--- xen/common/grant_table.c	Wed Oct 04 19:00:11 2006 +0100
+++ xen/common/grant_table.c	Thu Oct 05 14:30:25 2006 +0800
@@ -30,6 +30,7 @@
 #include <xen/trace.h>
 #include <xen/guest_access.h>
 #include <xen/domain_page.h>
+#include <xen/iocap.h>
 #include <acm/acm_hooks.h>
 
 /*
@@ -967,6 +968,11 @@ do_grant_table_op(
             guest_handle_cast(uop, gnttab_map_grant_ref_t);
         if ( unlikely(!guest_handle_okay(map, count)) )
             goto out;
+
+	rc = -EPERM;
+	if (unlikely(!grant_flip_permitted(d)))
+		goto out;
+
         rc = gnttab_map_grant_ref(map, count);
         break;
     }
@@ -976,6 +982,11 @@ do_grant_table_op(
             guest_handle_cast(uop, gnttab_unmap_grant_ref_t);
         if ( unlikely(!guest_handle_okay(unmap, count)) )
             goto out;
+
+	rc = -EPERM;
+	if (unlikely(!grant_flip_permitted(d)))
+		goto out;
+
         rc = gnttab_unmap_grant_ref(unmap, count);
         break;
     }
@@ -991,6 +1002,11 @@ do_grant_table_op(
             guest_handle_cast(uop, gnttab_transfer_t);
         if ( unlikely(!guest_handle_okay(transfer, count)) )
             goto out;
+
+	rc = -EPERM;
+	if (unlikely(!grant_flip_permitted(d)))
+		goto out;
+
         rc = gnttab_transfer(transfer, count);
         break;
     }
diff -r a5a3f48e92c9 xen/include/xen/iocap.h
--- xen/include/xen/iocap.h	Wed Oct 04 19:00:11 2006 +0100
+++ xen/include/xen/iocap.h	Thu Oct 05 14:30:25 2006 +0800
@@ -31,4 +31,7 @@
 #define multipage_allocation_permitted(d)               \
     (!rangeset_is_empty((d)->iomem_caps))
 
+#define grant_flip_permitted(d)                           \
+    (!rangeset_is_empty((d)->iomem_caps))
+
 #endif /* __XEN_IOCAP_H__ */