[XEN] Add a missing access check to __gnttab_copy.

Signed-off-by: Steven Smith <sos22@cam.ac.uk>

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 32c20b0547c48edc9fd9fdf9d4358e67b45f164e..d43a74439f99612772962ec00ac89b385583d99b 100644 (file)
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -822,11 +822,20 @@ __gnttab_copy(
     char *sp, *dp;
     s16 rc = GNTST_okay;
     int have_d_grant = 0, have_s_grant = 0;
+    int src_is_gref, dest_is_gref;
 
     if ( ((op->source.offset + op->len) > PAGE_SIZE) ||
          ((op->dest.offset + op->len) > PAGE_SIZE) )
         PIN_FAIL(error_out, GNTST_bad_copy_arg, "copy beyond page area.\n");
 
+    src_is_gref = op->flags & GNTCOPY_source_gref;
+    dest_is_gref = op->flags & GNTCOPY_dest_gref;
+
+    if ( (op->source.domid != DOMID_SELF && !src_is_gref ) ||
+         (op->dest.domid   != DOMID_SELF && !dest_is_gref)   )
+        PIN_FAIL(error_out, GNTST_permission_denied,
+                 "only allow copy-by-mfn for DOMID_SELF.\n");
+
     if ( op->source.domid == DOMID_SELF )
     {
         sd = current->domain;
@@ -849,7 +858,7 @@ __gnttab_copy(
                  "couldn't find %d\n", op->dest.domid);
     }
 
-    if ( op->flags & GNTCOPY_source_gref )
+    if ( src_is_gref )
     {
         rc = __acquire_grant_for_copy(sd, op->source.u.ref, 1, &s_frame);
         if ( rc != GNTST_okay )
@@ -864,7 +873,7 @@ __gnttab_copy(
         PIN_FAIL(error_out, GNTST_general_error,
                  "could not get source frame %lx.\n", s_frame);
 
-    if ( op->flags & GNTCOPY_dest_gref )
+    if ( dest_is_gref )
     {
         rc = __acquire_grant_for_copy(dd, op->dest.u.ref, 0, &d_frame);
         if ( rc != GNTST_okay )