From c439f5e97b0229851ba76249ccb224695a1baa29 Mon Sep 17 00:00:00 2001 From: Julien Grall Date: Wed, 25 Aug 2021 15:08:29 +0200 Subject: [PATCH] xen/arm: Restrict the amount of memory that dom0less domU and dom0 can allocate Currently, both dom0less domUs and dom0 can allocate an "unlimited" amount of memory because d->max_pages is set to ~0U. In particular, the former are meant to be unprivileged. Therefore the memory they could allocate should be bounded. As the domain are not yet officially aware of Xen (we don't expose advertise it in the DT, yet the hypercalls are accessible), they should not need to allocate more than the initial amount. So cap set d->max_pages directly the amount of memory we are meant to allocate. Take the opportunity to also restrict the memory for dom0 as the domain is direct mapped (e.g. MFN == GFN) and therefore cannot allocate outside of the pre-allocated region. This is CVE-2021-28700 / XSA-383. Reported-by: Julien Grall Signed-off-by: Julien Grall Reviewed-by: Stefano Stabellini Tested-by: Stefano Stabellini master commit: c08d68cd2aacbc7cb56e73ada241bfe4639bbc68 master date: 2021-08-25 14:19:31 +0200 --- xen/arch/arm/domain_build.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c index b07461f5d3..f49dbf1ca1 100644 --- a/xen/arch/arm/domain_build.c +++ b/xen/arch/arm/domain_build.c @@ -2439,7 +2439,8 @@ static int __init construct_domU(struct domain *d, if ( vcpu_create(d, 0) == NULL ) return -ENOMEM; - d->max_pages = ~0U; + + d->max_pages = ((paddr_t)mem * SZ_1K) >> PAGE_SHIFT; kinfo.d = d; @@ -2540,7 +2541,7 @@ int __init construct_dom0(struct domain *d) iommu_hwdom_init(d); - d->max_pages = ~0U; + d->max_pages = dom0_mem >> PAGE_SHIFT; kinfo.unassigned_mem = dom0_mem; kinfo.d = d; -- 2.30.2