diff options
| author | Jan Beulich <jbeulich@suse.com> | 2013-04-18 16:19:51 +0200 |
|---|---|---|
| committer | Jan Beulich <jbeulich@suse.com> | 2013-04-18 16:19:51 +0200 |
| commit | e414c4074d9a86a23727a385416fd21b67ee079f (patch) | |
| tree | 7055fa7100ce47494d44d6e9eee3c0912acad040 /tools | |
| parent | 68a30a91bad2d4ff1f7c0d4302ec1060d573f6da (diff) | |
| download | xen-e414c4074d9a86a23727a385416fd21b67ee079f.tar.gz xen-e414c4074d9a86a23727a385416fd21b67ee079f.tar.bz2 xen-e414c4074d9a86a23727a385416fd21b67ee079f.zip | |
x86: fix various issues with handling guest IRQs
- properly revoke IRQ access in map_domain_pirq() error path
- don't permit replacing an in use IRQ
- don't accept inputs in the GSI range for MAP_PIRQ_TYPE_MSI
- track IRQ access permission in host IRQ terms, not guest IRQ ones
(and with that, also disallow Dom0 access to IRQ0)
This is CVE-2013-1919 / XSA-46.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
master commit: 545607eb3cfeb2abf5742d1bb869734f317fcfe5
master date: 2013-04-18 16:11:23 +0200
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/libxl/libxl_create.c | 12 | ||||
| -rw-r--r-- | tools/python/xen/xend/server/irqif.py | 12 |
2 files changed, 13 insertions, 11 deletions
diff --git a/tools/libxl/libxl_create.c b/tools/libxl/libxl_create.c index c6011fae2d..12c20471f3 100644 --- a/tools/libxl/libxl_create.c +++ b/tools/libxl/libxl_create.c @@ -969,14 +969,16 @@ static void domcreate_launch_dm(libxl__egc *egc, libxl__multidev *multidev, } for (i = 0; i < d_config->b_info.num_irqs; i++) { - uint32_t irq = d_config->b_info.irqs[i]; + int irq = d_config->b_info.irqs[i]; - LOG(DEBUG, "dom%d irq %"PRIx32, domid, irq); + LOG(DEBUG, "dom%d irq %d", domid, irq); - ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1); + ret = irq >= 0 ? xc_physdev_map_pirq(CTX->xch, domid, irq, &irq) + : -EOVERFLOW; + if (!ret) + ret = xc_domain_irq_permission(CTX->xch, domid, irq, 1); if ( ret<0 ){ - LOGE(ERROR, - "failed give dom%d access to irq %"PRId32, domid, irq); + LOGE(ERROR, "failed give dom%d access to irq %d", domid, irq); ret = ERROR_FAIL; } } diff --git a/tools/python/xen/xend/server/irqif.py b/tools/python/xen/xend/server/irqif.py index ae0b1ff4b6..723f34652a 100644 --- a/tools/python/xen/xend/server/irqif.py +++ b/tools/python/xen/xend/server/irqif.py @@ -73,6 +73,12 @@ class IRQController(DevController): pirq = get_param('irq') + rc = xc.physdev_map_pirq(domid = self.getDomid(), + index = pirq, + pirq = pirq) + if rc < 0: + raise VmError('irq: Failed to map irq %x' % (pirq)) + rc = xc.domain_irq_permission(domid = self.getDomid(), pirq = pirq, allow_access = True) @@ -81,12 +87,6 @@ class IRQController(DevController): #todo non-fatal raise VmError( 'irq: Failed to configure irq: %d' % (pirq)) - rc = xc.physdev_map_pirq(domid = self.getDomid(), - index = pirq, - pirq = pirq) - if rc < 0: - raise VmError( - 'irq: Failed to map irq %x' % (pirq)) back = dict([(k, config[k]) for k in self.valid_cfg if k in config]) return (self.allocateDeviceID(), back, {}) |