From 3986b845e87c3f963227ece86bb633450761ec18 Mon Sep 17 00:00:00 2001 From: Andrew Cooper Date: Thu, 11 May 2017 14:47:00 +0100 Subject: [PATCH] x86/shadow: Hold references for the duration of emulated writes The (misnamed) emulate_gva_to_mfn() function translates a linear address to an mfn, but releases its page reference before returning the mfn to its caller. sh_emulate_map_dest() uses the results of one or two translations to construct a virtual mapping to the underlying frames, completes an emulated write/cmpxchg, then unmaps the virtual mappings. The page references need holding until the mappings are unmapped, or the frames can change ownership before the writes occurs. This is XSA-219 Reported-by: Andrew Cooper Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Reviewed-by: Tim Deegan --- xen/arch/x86/mm/shadow/common.c | 54 +++++++++++++++++++++++++++-------------- 1 file changed, 36 insertions(+), 18 deletions(-) diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index ced2313..13305d2 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -1703,7 +1703,10 @@ static unsigned int shadow_get_allocation(struct domain *d) /**************************************************************************/ /* Handling guest writes to pagetables. */ -/* Translate a VA to an MFN, injecting a page-fault if we fail. */ +/* + * Translate a VA to an MFN, injecting a page-fault if we fail. If the + * mapping succeeds, a reference will be held on the underlying page. + */ #define BAD_GVA_TO_GFN (~0UL) #define BAD_GFN_TO_MFN (~1UL) #define READONLY_GFN (~2UL) @@ -1751,16 +1754,15 @@ static mfn_t emulate_gva_to_mfn(struct vcpu *v, unsigned long vaddr, ASSERT(mfn_valid(mfn)); v->arch.paging.last_write_was_pt = !!sh_mfn_is_a_page_table(mfn); - /* - * Note shadow cannot page out or unshare this mfn, so the map won't - * disappear. Otherwise, caller must hold onto page until done. - */ - put_page(page); return mfn; } -/* Check that the user is allowed to perform this write. */ +/* + * Check that the user is allowed to perform this write. If a mapping is + * returned, page references will be held on sh_ctxt->mfn[0] and + * sh_ctxt->mfn[1] iff !INVALID_MFN. + */ void *sh_emulate_map_dest(struct vcpu *v, unsigned long vaddr, unsigned int bytes, struct sh_emulate_ctxt *sh_ctxt) @@ -1768,13 +1770,6 @@ void *sh_emulate_map_dest(struct vcpu *v, unsigned long vaddr, struct domain *d = v->domain; void *map; - sh_ctxt->mfn[0] = emulate_gva_to_mfn(v, vaddr, sh_ctxt); - if ( !mfn_valid(sh_ctxt->mfn[0]) ) - return ((mfn_x(sh_ctxt->mfn[0]) == BAD_GVA_TO_GFN) ? - MAPPING_EXCEPTION : - (mfn_x(sh_ctxt->mfn[0]) == READONLY_GFN) ? - MAPPING_SILENT_FAIL : MAPPING_UNHANDLEABLE); - #ifndef NDEBUG /* We don't emulate user-mode writes to page tables. */ if ( has_hvm_container_domain(d) @@ -1787,6 +1782,17 @@ void *sh_emulate_map_dest(struct vcpu *v, unsigned long vaddr, } #endif + sh_ctxt->mfn[0] = emulate_gva_to_mfn(v, vaddr, sh_ctxt); + if ( !mfn_valid(sh_ctxt->mfn[0]) ) + { + switch ( mfn_x(sh_ctxt->mfn[0]) ) + { + case BAD_GVA_TO_GFN: return MAPPING_EXCEPTION; + case READONLY_GFN: return MAPPING_SILENT_FAIL; + default: return MAPPING_UNHANDLEABLE; + } + } + /* Unaligned writes mean probably this isn't a pagetable. */ if ( vaddr & (bytes - 1) ) sh_remove_shadows(d, sh_ctxt->mfn[0], 0, 0 /* Slow, can fail. */ ); @@ -1803,6 +1809,7 @@ void *sh_emulate_map_dest(struct vcpu *v, unsigned long vaddr, * Cross-page emulated writes are only supported for HVM guests; * PV guests ought to know better. */ + put_page(mfn_to_page(sh_ctxt->mfn[0])); return MAPPING_UNHANDLEABLE; } else @@ -1810,17 +1817,26 @@ void *sh_emulate_map_dest(struct vcpu *v, unsigned long vaddr, /* This write crosses a page boundary. Translate the second page. */ sh_ctxt->mfn[1] = emulate_gva_to_mfn(v, vaddr + bytes - 1, sh_ctxt); if ( !mfn_valid(sh_ctxt->mfn[1]) ) - return ((mfn_x(sh_ctxt->mfn[1]) == BAD_GVA_TO_GFN) ? - MAPPING_EXCEPTION : - (mfn_x(sh_ctxt->mfn[1]) == READONLY_GFN) ? - MAPPING_SILENT_FAIL : MAPPING_UNHANDLEABLE); + { + put_page(mfn_to_page(sh_ctxt->mfn[0])); + switch ( mfn_x(sh_ctxt->mfn[1]) ) + { + case BAD_GVA_TO_GFN: return MAPPING_EXCEPTION; + case READONLY_GFN: return MAPPING_SILENT_FAIL; + default: return MAPPING_UNHANDLEABLE; + } + } /* Cross-page writes mean probably not a pagetable. */ sh_remove_shadows(d, sh_ctxt->mfn[1], 0, 0 /* Slow, can fail. */ ); map = vmap(sh_ctxt->mfn, 2); if ( !map ) + { + put_page(mfn_to_page(sh_ctxt->mfn[0])); + put_page(mfn_to_page(sh_ctxt->mfn[1])); return MAPPING_UNHANDLEABLE; + } map += (vaddr & ~PAGE_MASK); } @@ -1890,10 +1906,12 @@ void sh_emulate_unmap_dest(struct vcpu *v, void *addr, unsigned int bytes, } paging_mark_dirty(v->domain, mfn_x(sh_ctxt->mfn[0])); + put_page(mfn_to_page(sh_ctxt->mfn[0])); if ( unlikely(mfn_valid(sh_ctxt->mfn[1])) ) { paging_mark_dirty(v->domain, mfn_x(sh_ctxt->mfn[1])); + put_page(mfn_to_page(sh_ctxt->mfn[1])); vunmap((void *)((unsigned long)addr & PAGE_MASK)); } else -- 2.1.4