From patchwork Tue Jul 18 12:25:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergej Proskurin X-Patchwork-Id: 9848237 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id DFD9160393 for ; Tue, 18 Jul 2017 12:28:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D1D5328599 for ; Tue, 18 Jul 2017 12:28:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C68872859E; Tue, 18 Jul 2017 12:28:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4F46E2859A for ; Tue, 18 Jul 2017 12:28:48 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dXRa2-00061Y-Sp; Tue, 18 Jul 2017 12:26:22 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dXRa1-0005zf-Cj for xen-devel@lists.xenproject.org; Tue, 18 Jul 2017 12:26:21 +0000 Received: from [85.158.137.68] by server-14.bemta-3.messagelabs.com id 7B/07-01862-C6EFD695; Tue, 18 Jul 2017 12:26:20 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJLMWRWlGSWpSXmKPExsXSPJ+BQzf7X26 kweXrNhbft0xmcmD0OPzhCksAYxRrZl5SfkUCa0b3/jWsBdukKv5euM3SwLhQpIuRi0NIYCOj xNflt5kgnE2MEhMWf2HuYuTkYBMwkJjyeiUriC0ioCRxb9VksCJmgRuMEq1dGxlBEsICnhL3t 88Fa2ARUJVoO3SACcTmFbCVuP/rAjuILSEgL7Gr7SLYIE6g+MOeZ0C9HEDbbCQ2/rSbwMi9gJ FhFaNGcWpRWWqRrpGRXlJRZnpGSW5iZo6uoYGxXm5qcXFiempOYlKxXnJ+7iZGoIfrGRgYdzB OPeF3iFGSg0lJlHf1gdxIIb6k/JTKjMTijPii0pzU4kOMMhwcShK8u/8A5QSLUtNTK9Iyc4Ch BpOW4OBREuG99gsozVtckJhbnJkOkTrFaMzxasL/b0wcTd8/fmcSYsnLz0uVEuf9ATJJAKQ0o zQPbhAsBi4xykoJ8zIyMDAI8RSkFuVmlqDKv2IU52BUEubd+hdoCk9mXgncvldApzABnSLsmw NySkkiQkqqgVEtz1/Qa2fLp9uvz+1zMM26Uu3uN/HbxYxZdx7Ln8i4/eb/yiydvbcZcmLnz0l fWyoQs3r1dc6NcYVLO24vO570/dOC05lNCvu2K2wsvifw1ldg2bvY8oiFfNcTj/zxWBfCLODl tk6E/We7Vei09xet7C7O+fdj713OigWP3T0Yf2ec6asX3m6ixFKckWioxVxUnAgAqsjfqXwCA AA= X-Env-Sender: proskurin@sec.in.tum.de X-Msg-Ref: server-8.tower-31.messagelabs.com!1500380779!106055127!1 X-Originating-IP: [131.159.0.8] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.4.25; banners=-,-,- X-VirusChecked: Checked Received: (qmail 33639 invoked from network); 18 Jul 2017 12:26:19 -0000 Received: from mail-out1.informatik.tu-muenchen.de (HELO mail-out1.informatik.tu-muenchen.de) (131.159.0.8) by server-8.tower-31.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 18 Jul 2017 12:26:19 -0000 Received: from files.sec.in.tum.de (files.sec.in.tum.de [131.159.50.1]) by services.sec.in.tum.de (Postfix) with ESMTP id BB41E108ACA35; Tue, 18 Jul 2017 14:26:01 +0200 (CEST) Received: from thanatos.sec.in.tum.de (thanatos.sec.in.tum.de [131.159.50.57]) by files.sec.in.tum.de (Postfix) with ESMTP id AD72C1C1F5; Tue, 18 Jul 2017 14:26:01 +0200 (CEST) From: Sergej Proskurin To: xen-devel@lists.xenproject.org Date: Tue, 18 Jul 2017 14:25:07 +0200 Message-Id: <20170718122507.11873-15-proskurin@sec.in.tum.de> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20170718122507.11873-1-proskurin@sec.in.tum.de> References: <20170718122507.11873-1-proskurin@sec.in.tum.de> Cc: Sergej Proskurin , Julien Grall , Tamas K Lengyel , Stefano Stabellini , Razvan Cojocaru Subject: [Xen-devel] [PATCH v7 14/14] arm/mem_access: Walk the guest's pt in software X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP In this commit, we make use of the gpt walk functionality introduced in the previous commits. If mem_access is active, hardware-based gva to ipa translation might fail, as gva_to_ipa uses the guest's translation tables, access to which might be restricted by the active VTTBR. To side-step potential translation errors in the function p2m_mem_access_check_and_get_page due to restricted memory (e.g. to the guest's page tables themselves), we walk the guest's page tables in software. Signed-off-by: Sergej Proskurin Acked-by: Tamas K Lengyel --- Cc: Razvan Cojocaru Cc: Tamas K Lengyel Cc: Stefano Stabellini Cc: Julien Grall --- v2: Check the returned access rights after walking the guest's page tables in the function p2m_mem_access_check_and_get_page. v3: Adapt Function names and parameter. v4: Comment why we need to fail if the permission flags that are requested by the caller do not satisfy the mapped page. Cosmetic fix that simplifies the if-statement checking for the GV2M_WRITE permission. v5: Move comment to ease code readability. --- xen/arch/arm/mem_access.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/xen/arch/arm/mem_access.c b/xen/arch/arm/mem_access.c index bcf49f5c15..a58611daed 100644 --- a/xen/arch/arm/mem_access.c +++ b/xen/arch/arm/mem_access.c @@ -22,6 +22,7 @@ #include #include #include +#include static int __p2m_get_mem_access(struct domain *d, gfn_t gfn, xenmem_access_t *access) @@ -101,6 +102,7 @@ p2m_mem_access_check_and_get_page(vaddr_t gva, unsigned long flag, const struct vcpu *v) { long rc; + unsigned int perms; paddr_t ipa; gfn_t gfn; mfn_t mfn; @@ -110,8 +112,35 @@ p2m_mem_access_check_and_get_page(vaddr_t gva, unsigned long flag, struct p2m_domain *p2m = &v->domain->arch.p2m; rc = gva_to_ipa(gva, &ipa, flag); + + /* + * In case mem_access is active, hardware-based gva_to_ipa translation + * might fail. Since gva_to_ipa uses the guest's translation tables, access + * to which might be restricted by the active VTTBR, we perform a gva to + * ipa translation in software. + */ if ( rc < 0 ) - goto err; + { + /* + * The software gva to ipa translation can still fail, e.g., if the gva + * is not mapped. + */ + if ( guest_walk_tables(v, gva, &ipa, &perms) < 0 ) + goto err; + + /* + * Check permissions that are assumed by the caller. For instance in + * case of guestcopy, the caller assumes that the translated page can + * be accessed with requested permissions. If this is not the case, we + * should fail. + * + * Please note that we do not check for the GV2M_EXEC permission. Yet, + * since the hardware-based translation through gva_to_ipa does not + * test for execute permissions this check can be left out. + */ + if ( (flag & GV2M_WRITE) && !(perms & GV2M_WRITE) ) + goto err; + } gfn = gaddr_to_gfn(ipa);