Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:steve-beattie
kernel
xen-grant-table-operations-security.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xen-grant-table-operations-security.patch of Package kernel
Date: Thu, 19 Oct 2006 12:47:51 -0400 From: Rik van Riel <riel@redhat.com> Subject: [RHEL5 Xen] Grant table operations security patch This patch by Herbert Xu fixes a security issue in the hypervisor, which would allow a malicious guest to access a freed grant table page after freeing and possibly having it reallocated to another guest. Since this is a security bug, it needs to be applied ASAP and has been approved for inclusion in Beta 2. I have tested this patch with FV and PV domains. This patch fixes bug #210489 -- Who do you trust? The people with all the right answers? Or the people with the right questions? diff -r a5a3f48e92c9 xen/common/grant_table.c --- xen/common/grant_table.c Wed Oct 04 19:00:11 2006 +0100 +++ xen/common/grant_table.c Thu Oct 05 14:30:25 2006 +0800 @@ -30,6 +30,7 @@ #include <xen/trace.h> #include <xen/guest_access.h> #include <xen/domain_page.h> +#include <xen/iocap.h> #include <acm/acm_hooks.h> /* @@ -967,6 +968,11 @@ do_grant_table_op( guest_handle_cast(uop, gnttab_map_grant_ref_t); if ( unlikely(!guest_handle_okay(map, count)) ) goto out; + + rc = -EPERM; + if (unlikely(!grant_flip_permitted(d))) + goto out; + rc = gnttab_map_grant_ref(map, count); break; } @@ -976,6 +982,11 @@ do_grant_table_op( guest_handle_cast(uop, gnttab_unmap_grant_ref_t); if ( unlikely(!guest_handle_okay(unmap, count)) ) goto out; + + rc = -EPERM; + if (unlikely(!grant_flip_permitted(d))) + goto out; + rc = gnttab_unmap_grant_ref(unmap, count); break; } @@ -991,6 +1002,11 @@ do_grant_table_op( guest_handle_cast(uop, gnttab_transfer_t); if ( unlikely(!guest_handle_okay(transfer, count)) ) goto out; + + rc = -EPERM; + if (unlikely(!grant_flip_permitted(d))) + goto out; + rc = gnttab_transfer(transfer, count); break; } diff -r a5a3f48e92c9 xen/include/xen/iocap.h --- xen/include/xen/iocap.h Wed Oct 04 19:00:11 2006 +0100 +++ xen/include/xen/iocap.h Thu Oct 05 14:30:25 2006 +0800 @@ -31,4 +31,7 @@ #define multipage_allocation_permitted(d) \ (!rangeset_is_empty((d)->iomem_caps)) +#define grant_flip_permitted(d) \ + (!rangeset_is_empty((d)->iomem_caps)) + #endif /* __XEN_IOCAP_H__ */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor