From patchwork Wed Aug 9 08:20:38 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergej Proskurin X-Patchwork-Id: 9889841 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5AFF860384 for ; Wed, 9 Aug 2017 08:23:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4917E28618 for ; Wed, 9 Aug 2017 08:23:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3DFBA286D2; Wed, 9 Aug 2017 08:23:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 8B9F428631 for ; Wed, 9 Aug 2017 08:23:58 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dfMFL-0006km-Ky; Wed, 09 Aug 2017 08:21:43 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dfMFK-0006iM-9B for xen-devel@lists.xenproject.org; Wed, 09 Aug 2017 08:21:42 +0000 Received: from [85.158.143.35] by server-11.bemta-6.messagelabs.com id 5B/89-03612-516CA895; Wed, 09 Aug 2017 08:21:41 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFLMWRWlGSWpSXmKPExsXSPJ+BQ1fkWFe kwcqlZhbft0xmcmD0OPzhCksAYxRrZl5SfkUCa0bTtCamgj1SFbcbj7A1MC4X6WLk4hAS2Mgo sX3uCyYIZxOjxKkD3xm7GDk52AQMJKa8XskKYosIKEncWzUZrIhZ4AajRGvXRrAiYQFPic4ZC 8CKWARUJW5f/QMW5xWwkVg/dxqYLSEgLzGxF8LmBIrvuANhCwlYS0w7do55AiP3AkaGVYwaxa lFZalFuoZmeklFmekZJbmJmTm6hgZmermpxcWJ6ak5iUnFesn5uZsYgT5mAIIdjPc3BhxilOR gUhLl3aTdGSnEl5SfUpmRWJwRX1Sak1p8iFGGg0NJgnfSka5IIcGi1PTUirTMHGCwwaQlOHiU RHhvg6R5iwsSc4sz0yFSpxiNOV5N+P+NiaPp+8fvTEIsefl5qVLivJtBSgVASjNK8+AGwaLgE qOslDAvI9BpQjwFqUW5mSWo8q8YxTkYlYR5S48CTeHJzCuB2/cK6BQmoFMifDtBTilJREhJNT AWbFKsz72ft3t6ly6D0ROTorcMc+ptd+wRX8K1RbzvXnG0+Q6u6C+dCdfa2/Y+rD19x2XGs78 m13m/XJCpTj9teWxZr2HIAQvVDTt3dx/9dMzQY96s9SLz1NLrd+hMvnxlida9//7Of3x4zkUV L3Wydz+bvE387EXr84ruN9PFI+/1rnj3RyZOiaU4I9FQi7moOBEAZFgKJn0CAAA= X-Env-Sender: proskurin@sec.in.tum.de X-Msg-Ref: server-10.tower-21.messagelabs.com!1502266900!70459521!1 X-Originating-IP: [131.159.0.8] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 32442 invoked from network); 9 Aug 2017 08:21:40 -0000 Received: from mail-out1.informatik.tu-muenchen.de (HELO mail-out1.informatik.tu-muenchen.de) (131.159.0.8) by server-10.tower-21.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 9 Aug 2017 08:21:40 -0000 Received: from files.sec.in.tum.de (files.sec.in.tum.de [131.159.50.1]) by services.sec.in.tum.de (Postfix) with ESMTP id 4C07110DD29F5; Wed, 9 Aug 2017 10:21:07 +0200 (CEST) Received: from thanatos.sec.in.tum.de (thanatos.sec.in.tum.de [131.159.50.57]) by files.sec.in.tum.de (Postfix) with ESMTP id 3ED181F047; Wed, 9 Aug 2017 10:21:07 +0200 (CEST) From: Sergej Proskurin To: xen-devel@lists.xenproject.org Date: Wed, 9 Aug 2017 10:20:38 +0200 Message-Id: <20170809082038.3236-14-proskurin@sec.in.tum.de> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170809082038.3236-1-proskurin@sec.in.tum.de> References: <20170809082038.3236-1-proskurin@sec.in.tum.de> Cc: Sergej Proskurin , Julien Grall , Tamas K Lengyel , Stefano Stabellini , Razvan Cojocaru Subject: [Xen-devel] [PATCH v8 13/13] arm/mem_access: Walk the guest's pt in software X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP In this commit, we make use of the gpt walk functionality introduced in the previous commits. If mem_access is active, hardware-based gva to ipa translation might fail, as gva_to_ipa uses the guest's translation tables, access to which might be restricted by the active VTTBR. To side-step potential translation errors in the function p2m_mem_access_check_and_get_page due to restricted memory (e.g. to the guest's page tables themselves), we walk the guest's page tables in software. Signed-off-by: Sergej Proskurin Acked-by: Tamas K Lengyel --- Cc: Razvan Cojocaru Cc: Tamas K Lengyel Cc: Stefano Stabellini Cc: Julien Grall --- v2: Check the returned access rights after walking the guest's page tables in the function p2m_mem_access_check_and_get_page. v3: Adapt Function names and parameter. v4: Comment why we need to fail if the permission flags that are requested by the caller do not satisfy the mapped page. Cosmetic fix that simplifies the if-statement checking for the GV2M_WRITE permission. v5: Move comment to ease code readability. --- xen/arch/arm/mem_access.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/mem_access.c b/xen/arch/arm/mem_access.c index e0888bbad2..3e2bb4088a 100644 --- a/xen/arch/arm/mem_access.c +++ b/xen/arch/arm/mem_access.c @@ -22,6 +22,7 @@ #include #include #include +#include static int __p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access) @@ -101,6 +102,7 @@ p2m_mem_access_check_and_get_page(vaddr_t gva, unsigned long flag, const struct vcpu *v) { long rc; + unsigned int perms; paddr_t ipa; gfn_t gfn; mfn_t mfn; @@ -110,8 +112,35 @@ p2m_mem_access_check_and_get_page(vaddr_t gva, unsigned long flag, struct p2m_domain *p2m = p2m_get_hostp2m(v->domain); rc = gva_to_ipa(gva, &ipa, flag); + + /* + * In case mem_access is active, hardware-based gva_to_ipa translation + * might fail. Since gva_to_ipa uses the guest's translation tables, access + * to which might be restricted by the active VTTBR, we perform a gva to + * ipa translation in software. + */ if ( rc < 0 ) - goto err; + { + /* + * The software gva to ipa translation can still fail, e.g., if the gva + * is not mapped. + */ + if ( guest_walk_tables(v, gva, &ipa, &perms) < 0 ) + goto err; + + /* + * Check permissions that are assumed by the caller. For instance in + * case of guestcopy, the caller assumes that the translated page can + * be accessed with requested permissions. If this is not the case, we + * should fail. + * + * Please note that we do not check for the GV2M_EXEC permission. Yet, + * since the hardware-based translation through gva_to_ipa does not + * test for execute permissions this check can be left out. + */ + if ( (flag & GV2M_WRITE) && !(perms & GV2M_WRITE) ) + goto err; + } gfn = gaddr_to_gfn(ipa);