From patchwork Mon Jun 13 10:50:46 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Julien Grall X-Patchwork-Id: 69869 Delivered-To: patch@linaro.org Received: by 10.140.106.246 with SMTP id e109csp1477098qgf; Mon, 13 Jun 2016 03:50:56 -0700 (PDT) X-Received: by 10.36.16.193 with SMTP id 184mr17074432ity.12.1465815056844; Mon, 13 Jun 2016 03:50:56 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id iu4si13781423pac.93.2016.06.13.03.50.56; Mon, 13 Jun 2016 03:50:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965450AbcFMKuy (ORCPT + 30 others); Mon, 13 Jun 2016 06:50:54 -0400 Received: from foss.arm.com ([217.140.101.70]:50769 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964910AbcFMKux (ORCPT ); Mon, 13 Jun 2016 06:50:53 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 48620F; Mon, 13 Jun 2016 03:51:32 -0700 (PDT) Received: from e108454-lin.cambridge.arm.com (e108454-lin.cambridge.arm.com [10.1.215.28]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 36FD53F253; Mon, 13 Jun 2016 03:50:51 -0700 (PDT) From: Julien Grall To: boris.ostrovsky@oracle.com, david.vrabel@citrix.com, jgross@suse.com, sstabellini@kernel.org, konrad.wilk@oracle.com Cc: steve.capper@arm.com, linux-kernel@vger.kernel.org, xen-devel@lists.xen.org, andrew.cooper3@citrix.com, JBeulich@suse.com, Julien Grall Subject: [PATCH] xen: grant-table: Check truncation when giving access to a frame Date: Mon, 13 Jun 2016 11:50:46 +0100 Message-Id: <1465815046-5390-1-git-send-email-julien.grall@arm.com> X-Mailer: git-send-email 1.9.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The version 1 of the grant-table protocol only supports frame encoded on 32-bit. When the platform is supporting 48-bit physical address, the frame will be encoded on 36-bit which will lead a truncation and give access to the wrong frame. On ARM Xen will always allow the guest to use all the physical address, although today the RAM is always located under 40-bits (see xen/include/public/arch-arm.h). Add a truncation check in gnttab_update_entry_v1 to prevent the guest to give access to the wrong frame. Signed-off-by: Julien Grall --- This is limiting us to a 44-bit address space whilst ARM can support up to 48-bit today. This number of bit will increase to 52-bit in upcoming processors [1]. It might be good to start thinking to extend the version 1 of the protocol to use 64-bit frame number. [1] https://community.arm.com/groups/processors/blog/2016/01/05/armv8-a-architecture-evolution --- drivers/xen/grant-table.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 1.9.1 diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c index bb36b1e..f47c2e99 100644 --- a/drivers/xen/grant-table.c +++ b/drivers/xen/grant-table.c @@ -224,6 +224,13 @@ static void gnttab_update_entry_v1(grant_ref_t ref, domid_t domid, { gnttab_shared.v1[ref].domid = domid; gnttab_shared.v1[ref].frame = frame; + + /* + * V1 only supports 32-bit frame, check the truncation + * to avoid giving access to the wrong frame. + */ + BUG_ON(gnttab_shared.v1[ref].frame != frame); + wmb(); gnttab_shared.v1[ref].flags = flags; }