From patchwork Thu Jul 6 11:50:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergej Proskurin X-Patchwork-Id: 9828073 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A458F60317 for ; Thu, 6 Jul 2017 11:53:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 949BF2850D for ; Thu, 6 Jul 2017 11:53:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8939628619; Thu, 6 Jul 2017 11:53:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 032262850D for ; Thu, 6 Jul 2017 11:53:20 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dT5Iz-00035J-DG; Thu, 06 Jul 2017 11:50:45 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dT5Ix-00031k-Qd for xen-devel@lists.xenproject.org; Thu, 06 Jul 2017 11:50:43 +0000 Received: from [85.158.137.68] by server-7.bemta-3.messagelabs.com id 81/24-02177-2142E595; Thu, 06 Jul 2017 11:50:42 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJLMWRWlGSWpSXmKPExsXSPJ+BQ1dIJS7 SYOoOEYvvWyYzOTB6HP5whSWAMYo1My8pvyKBNaN7/xrWgm1SFX8v3GZpYFwo0sXIxSEksJFR 4uCuI4wQziZGiUnPdrN2MXJysAkYSEx5vRLMFhFQkri3ajITSBGzwA1GidaujYwgCWEBT4nPh zewgNgsAqoSb+euA2vgFbCV6Dx9iA3ElhCQl9jVdhEozsHBCRR/3mAHEhYSsJF49+8a4wRG7g WMDKsYNYpTi8pSi3QNTfSSijLTM0pyEzNzdA0NjPVyU4uLE9NTcxKTivWS83M3MQI9zAAEOxh XbPc8xCjJwaQkyit+ODZSiC8pP6UyI7E4I76oNCe1+BCjDAeHkgTvCaW4SCHBotT01Iq0zBxg qMGkJTh4lER4Y34AtfIWFyTmFmemQ6ROMRpzrJr58xsTx6sJ/78xCbHk5eelSonz3geZJABSm lGaBzcIFgOXGGWlhHkZgU4T4ilILcrNLEGVf8UozsGoJMx7GmQKT2ZeCdy+V0CnMAGdotgYA3 JKSSJCSqqBkaf+SNykn05b+FK2upuuanptsN2jxdlnxf2/H5e+2BaScWXHPaFvXR2++9YY8bp ++9g3QzD60MFN9UfaVqy5yDH55CzW9QIdnvlqLDrS04/8PHj4lrbu0ar9um//219jm7GwxbZl s8r9BqnO55Uvfn0Vdk3JTKr8tu4dQ3OaeedUwQLv8kN3zyqxFGckGmoxFxUnAgBXGEZwfAIAA A== X-Env-Sender: proskurin@sec.in.tum.de X-Msg-Ref: server-16.tower-31.messagelabs.com!1499341842!96622395!1 X-Originating-IP: [131.159.0.8] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.4.25; banners=-,-,- X-VirusChecked: Checked Received: (qmail 36202 invoked from network); 6 Jul 2017 11:50:42 -0000 Received: from mail-out1.informatik.tu-muenchen.de (HELO mail-out1.informatik.tu-muenchen.de) (131.159.0.8) by server-16.tower-31.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 6 Jul 2017 11:50:42 -0000 Received: from files.sec.in.tum.de (files.sec.in.tum.de [131.159.50.1]) by services.sec.in.tum.de (Postfix) with ESMTP id 450AD101696D1; Thu, 6 Jul 2017 13:50:25 +0200 (CEST) Received: from thanatos.sec.in.tum.de (thanatos.sec.in.tum.de [131.159.50.57]) by files.sec.in.tum.de (Postfix) with ESMTP id 37CB41C169; Thu, 6 Jul 2017 13:50:25 +0200 (CEST) From: Sergej Proskurin To: xen-devel@lists.xenproject.org Date: Thu, 6 Jul 2017 13:50:17 +0200 Message-Id: <20170706115017.23072-15-proskurin@sec.in.tum.de> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170706115017.23072-1-proskurin@sec.in.tum.de> References: <20170706115017.23072-1-proskurin@sec.in.tum.de> Cc: Sergej Proskurin , Julien Grall , Tamas K Lengyel , Stefano Stabellini , Razvan Cojocaru Subject: [Xen-devel] [PATCH v6 14/14] arm/mem_access: Walk the guest's pt in software X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP In this commit, we make use of the gpt walk functionality introduced in the previous commits. If mem_access is active, hardware-based gva to ipa translation might fail, as gva_to_ipa uses the guest's translation tables, access to which might be restricted by the active VTTBR. To side-step potential translation errors in the function p2m_mem_access_check_and_get_page due to restricted memory (e.g. to the guest's page tables themselves), we walk the guest's page tables in software. Signed-off-by: Sergej Proskurin Acked-by: Tamas K Lengyel --- Cc: Razvan Cojocaru Cc: Tamas K Lengyel Cc: Stefano Stabellini Cc: Julien Grall --- v2: Check the returned access rights after walking the guest's page tables in the function p2m_mem_access_check_and_get_page. v3: Adapt Function names and parameter. v4: Comment why we need to fail if the permission flags that are requested by the caller do not satisfy the mapped page. Cosmetic fix that simplifies the if-statement checking for the GV2M_WRITE permission. v5: Move comment to ease code readability. --- xen/arch/arm/mem_access.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/mem_access.c b/xen/arch/arm/mem_access.c index bcf49f5c15..a58611daed 100644 --- a/xen/arch/arm/mem_access.c +++ b/xen/arch/arm/mem_access.c @@ -22,6 +22,7 @@ #include #include #include +#include static int __p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access) @@ -101,6 +102,7 @@ p2m_mem_access_check_and_get_page(vaddr_t gva, unsigned long flag, const struct vcpu *v) { long rc; + unsigned int perms; paddr_t ipa; gfn_t gfn; mfn_t mfn; @@ -110,8 +112,35 @@ p2m_mem_access_check_and_get_page(vaddr_t gva, unsigned long flag, struct p2m_domain *p2m = &v->domain->arch.p2m; rc = gva_to_ipa(gva, &ipa, flag); + + /* + * In case mem_access is active, hardware-based gva_to_ipa translation + * might fail. Since gva_to_ipa uses the guest's translation tables, access + * to which might be restricted by the active VTTBR, we perform a gva to + * ipa translation in software. + */ if ( rc < 0 ) - goto err; + { + /* + * The software gva to ipa translation can still fail, e.g., if the gva + * is not mapped. + */ + if ( guest_walk_tables(v, gva, &ipa, &perms) < 0 ) + goto err; + + /* + * Check permissions that are assumed by the caller. For instance in + * case of guestcopy, the caller assumes that the translated page can + * be accessed with requested permissions. If this is not the case, we + * should fail. + * + * Please note that we do not check for the GV2M_EXEC permission. Yet, + * since the hardware-based translation through gva_to_ipa does not + * test for execute permissions this check can be left out. + */ + if ( (flag & GV2M_WRITE) && !(perms & GV2M_WRITE) ) + goto err; + } gfn = gaddr_to_gfn(ipa);