On 06.01.2024 01:46, Stefano Stabellini wrote:
> On Fri, 5 Jan 2024, Jiqian Chen wrote:
>> @@ -72,8 +73,30 @@ long hvm_physdev_op(int cmd, XEN_GUEST_HANDLE_PARAM(void)
>> arg)
>>
>> switch ( cmd )
>> {
>> - case PHYSDEVOP_map_pirq:
>> - case PHYSDEVOP_unmap_pirq:
>> + case PHYSDEVOP_map_pirq: {
>> + physdev_map_pirq_t map;
>> +
>> + if ( copy_from_guest(&map, arg, 1) != 0 )
>> + return -EFAULT;
>> +
>> + if ( !has_pirq(currd) && map.domid == DOMID_SELF )
>> + return -ENOSYS;
>
> This looks OK to me although there is already another copy_from_guest in
> do_physdev_op, but I don't see an easy way to make it better.
How can double reads of hypercall args ever be okay? The new check clearly
needs to be inserted in the code path where the structure is being read
already anyway.
Jan
