From 9d529fb9e67626347bda2690fad8d62729080880 Mon Sep 17 00:00:00 2001 From: Yonghua Huang Date: Thu, 22 Nov 2018 19:11:02 +0800 Subject: [PATCH] hv:use copy of guest's memory block in 'hcall_set_vm_memory_regions()' to avoid passing guest's memory block into hypervisor internal process for security. Tracked-On: #861 Signed-off-by: Yonghua Huang Acked-by: Eddie Dong --- hypervisor/common/hypercall.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/hypervisor/common/hypercall.c b/hypervisor/common/hypercall.c index 8c1118b58..2f59babc3 100644 --- a/hypervisor/common/hypercall.c +++ b/hypervisor/common/hypercall.c @@ -581,7 +581,7 @@ static int32_t set_vm_memory_region(struct acrn_vm *vm, int32_t hcall_set_vm_memory_regions(struct acrn_vm *vm, uint64_t param) { struct set_regions set_regions; - struct vm_memory_region *regions; + struct vm_memory_region region; struct acrn_vm *target_vm; uint32_t idx; @@ -604,13 +604,17 @@ int32_t hcall_set_vm_memory_regions(struct acrn_vm *vm, uint64_t param) } idx = 0U; - /*TODO: use copy_from_gpa for this buffer page */ - regions = gpa2hva(vm, set_regions.regions_gpa); while (idx < set_regions.mr_num) { - /* the force pointer change below is for back compatible - * to struct vm_memory_region, it will be removed in the future - */ - int ret = set_vm_memory_region(vm, target_vm, ®ions[idx]); + int ret; + + if (copy_from_gpa(vm, ®ion, + set_regions.regions_gpa + idx * sizeof(region), + sizeof(region)) != 0) { + pr_err("%s: Copy region entry fail from vm\n", __func__); + return -EFAULT; + } + + ret = set_vm_memory_region(vm, target_vm, ®ion); if (ret < 0) { return ret; }