From 191a8478a96ff3ade66395e382befefc3aea2eab Mon Sep 17 00:00:00 2001
From: "kfraser@localhost.localdomain" <kfraser@localhost.localdomain>
Date: Fri, 17 Nov 2006 10:48:34 +0000
Subject: [PATCH] [XEN] Restrict access to grant-mapping operations. TLB
 flushing is not done strictly before notifying the mappee -- this creates
 scope for multi-processor mapping guests to attempt to abuse a stale mapping
 on another VCPU. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

---
 xen/common/grant_table.c | 11 +++++++++++
 xen/include/xen/iocap.h  |  8 ++++++++
 2 files changed, 19 insertions(+)

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 3b6ad11548..552db91089 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -24,6 +24,8 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
+#include <xen/config.h>
+#include <xen/iocap.h>
 #include <xen/lib.h>
 #include <xen/sched.h>
 #include <xen/shadow.h>
@@ -991,6 +993,9 @@ do_grant_table_op(
             guest_handle_cast(uop, gnttab_map_grant_ref_t);
         if ( unlikely(!guest_handle_okay(map, count)) )
             goto out;
+        rc = -EPERM;
+        if ( unlikely(!grant_flip_permitted(d)) )
+            goto out;
         rc = gnttab_map_grant_ref(map, count);
         break;
     }
@@ -1000,6 +1005,9 @@ do_grant_table_op(
             guest_handle_cast(uop, gnttab_unmap_grant_ref_t);
         if ( unlikely(!guest_handle_okay(unmap, count)) )
             goto out;
+        rc = -EPERM;
+        if ( unlikely(!grant_flip_permitted(d)) )
+            goto out;
         rc = gnttab_unmap_grant_ref(unmap, count);
         break;
     }
@@ -1015,6 +1023,9 @@ do_grant_table_op(
             guest_handle_cast(uop, gnttab_transfer_t);
         if ( unlikely(!guest_handle_okay(transfer, count)) )
             goto out;
+        rc = -EPERM;
+        if ( unlikely(!grant_flip_permitted(d)) )
+            goto out;
         rc = gnttab_transfer(transfer, count);
         break;
     }
diff --git a/xen/include/xen/iocap.h b/xen/include/xen/iocap.h
index db461b9dcb..b3a5daec45 100644
--- a/xen/include/xen/iocap.h
+++ b/xen/include/xen/iocap.h
@@ -31,4 +31,12 @@
 #define multipage_allocation_permitted(d)               \
     (!rangeset_is_empty((d)->iomem_caps))
 
+/*
+ * Until TLB flushing issues are sorted out we consider it unsafe for
+ * domains with no hardware-access privileges to perform grant map/transfer
+ * operations.
+ */
+#define grant_operations_permitted(d)                   \
+    (!rangeset_is_empty((d)->iomem_caps))
+
 #endif /* __XEN_IOCAP_H__ */
-- 
2.30.2