[HVM] Disallow PTE updates and MMIO accesses from hypervisor mode

(prevents copy_to/from_guest from causing problems, for example).
Signed-off-by: Keir Fraser <keir@xensource.com>

diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c
index ba15cb65d2999df3a8b419d36a1fff87ec52a59b..76e4dfc8e6dc8e1ba8439ede01431de15b235907 100644 (file)
--- a/xen/arch/x86/mm/shadow/multi.c
+++ b/xen/arch/x86/mm/shadow/multi.c
@@ -2798,8 +2798,9 @@ static int sh_page_fault(struct vcpu *v,
      * We do not emulate user writes. Instead we use them as a hint that the
      * page is no longer a page table. This behaviour differs from native, but
      * it seems very unlikely that any OS grants user access to page tables.
+     * We also disallow guest PTE updates from within Xen.
      */
-    if ( (regs->error_code & PFEC_user_mode) ||
+    if ( (regs->error_code & PFEC_user_mode) || !guest_mode(regs) ||
          x86_emulate_memop(&emul_ctxt, &shadow_emulator_ops) )
     {
         SHADOW_PRINTK("emulator failure, unshadowing mfn %#lx\n", 
@@ -2839,6 +2840,8 @@ static int sh_page_fault(struct vcpu *v,
     goto done;
 
  mmio:
+    if ( !guest_mode(regs) )
+        goto not_a_shadow_fault;
     perfc_incrc(shadow_fault_mmio);
     sh_audit_gw(v, &gw);
     unmap_walk(v, &gw);