| Message ID | 20221026102018.4144-5-andrew.cooper3@citrix.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | XSA-409 fixes | expand |
Hi Andrew, > -----Original Message----- > Subject: [PATCH 4/4] xen/arm: Correct the p2m pool size calculations > > Allocating or freeing p2m pages doesn't alter the size of the mempool; only > the split between free and used pages. > > Right now, the hypercalls operate on the free subset of the pool, meaning > that > XEN_DOMCTL_get_p2m_mempool_size varies with time as the guest shuffles > its > physmap, and XEN_DOMCTL_set_p2m_mempool_size ignores the used > subset of the > pool and lets the guest grow unbounded. > > This fixes test-p2m-pool on ARM so that the behaviour matches x86. > > This is part of XSA-409 / CVE-2022-33747. > > Fixes: cbea5a1149ca ("xen/arm: Allocate and free P2M pages from the P2M > pool") > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Release-acked-by: Henry Wang <Henry.Wang@arm.com> Hi Arm maintainers, may I ask for a reviewed-by/ack from you for the correctness of the code in the release? Thank you very much! Kind regards, Henry
On 11/11/2022 10:11, Henry Wang wrote: >> -----Original Message----- >> Subject: [PATCH 4/4] xen/arm: Correct the p2m pool size calculations >> >> Allocating or freeing p2m pages doesn't alter the size of the mempool; only >> the split between free and used pages. >> >> Right now, the hypercalls operate on the free subset of the pool, meaning >> that >> XEN_DOMCTL_get_p2m_mempool_size varies with time as the guest shuffles >> its >> physmap, and XEN_DOMCTL_set_p2m_mempool_size ignores the used >> subset of the >> pool and lets the guest grow unbounded. >> >> This fixes test-p2m-pool on ARM so that the behaviour matches x86. >> >> This is part of XSA-409 / CVE-2022-33747. >> >> Fixes: cbea5a1149ca ("xen/arm: Allocate and free P2M pages from the P2M >> pool") >> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> > > Release-acked-by: Henry Wang <Henry.Wang@arm.com> > > Hi Arm maintainers, may I ask for a reviewed-by/ack from you for the > correctness of the code in the release? Thank you very much! Reviewed-by: Julien Grall <jgrall@amazon.com> Cheers,
diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c index 92b678cf0d09..dd9696c48312 100644 --- a/xen/arch/arm/p2m.c +++ b/xen/arch/arm/p2m.c @@ -72,7 +72,6 @@ static struct page_info *p2m_alloc_page(struct domain *d) spin_unlock(&d->arch.paging.lock); return NULL; } - d->arch.paging.p2m_total_pages--; } spin_unlock(&d->arch.paging.lock); @@ -85,10 +84,7 @@ static void p2m_free_page(struct domain *d, struct page_info *pg) if ( is_hardware_domain(d) ) free_domheap_page(pg); else - { - d->arch.paging.p2m_total_pages++; page_list_add_tail(pg, &d->arch.paging.p2m_freelist); - } spin_unlock(&d->arch.paging.lock); }
Allocating or freeing p2m pages doesn't alter the size of the mempool; only the split between free and used pages. Right now, the hypercalls operate on the free subset of the pool, meaning that XEN_DOMCTL_get_p2m_mempool_size varies with time as the guest shuffles its physmap, and XEN_DOMCTL_set_p2m_mempool_size ignores the used subset of the pool and lets the guest grow unbounded. This fixes test-p2m-pool on ARM so that the behaviour matches x86. This is part of XSA-409 / CVE-2022-33747. Fixes: cbea5a1149ca ("xen/arm: Allocate and free P2M pages from the P2M pool") Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> --- CC: Xen Security Team <security@xen.org> CC: Jan Beulich <JBeulich@suse.com> CC: Roger Pau Monné <roger.pau@citrix.com> CC: Wei Liu <wl@xen.org> CC: Stefano Stabellini <sstabellini@kernel.org> CC: Julien Grall <julien@xen.org> CC: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com> CC: Bertrand Marquis <bertrand.marquis@arm.com> CC: Henry Wang <Henry.Wang@arm.com> CC: Anthony PERARD <anthony.perard@citrix.com> --- xen/arch/arm/p2m.c | 4 ---- 1 file changed, 4 deletions(-)