diff options
| author | Damien Zammit <damien@zamaudio.com> | 2024-12-28 07:35:52 +0000 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2024-12-29 01:43:57 +0100 |
| commit | c930206466747aa69be0d2d1383a3b98c30c7016 (patch) | |
| tree | e8427523a04458831f793609c32932c5550b0832 | |
| parent | cac26b3523e48613745768494a0b83121d00c298 (diff) | |
| download | hurd-c930206466747aa69be0d2d1383a3b98c30c7016.tar.gz hurd-c930206466747aa69be0d2d1383a3b98c30c7016.tar.bz2 hurd-c930206466747aa69be0d2d1383a3b98c30c7016.zip | |
pci-arbiter: Fix long standing bug with PCI access
Proxied memory was not rounded up to page size, causing
error with vm_map'ing the underlying memory.
WARNING: Assumes pci memory resources are at least page aligned.
If not, this will expose part of next resource to userspace.
Message-ID: <20241228073545.712061-1-damien@zamaudio.com>
| -rw-r--r-- | pci-arbiter/netfs_impl.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/pci-arbiter/netfs_impl.c b/pci-arbiter/netfs_impl.c index 4bb5c97a..82e618a7 100644 --- a/pci-arbiter/netfs_impl.c +++ b/pci-arbiter/netfs_impl.c @@ -577,6 +577,7 @@ get_filemap_region (struct node *node, vm_prot_t prot) vm_prot_t max_prot; size_t reg_num; struct pci_mem_region *region; + size_t rounded_size; /* Get region info */ reg_num = @@ -592,12 +593,17 @@ get_filemap_region (struct node *node, vm_prot_t prot) if (err) goto error; + /* WARNING: this rounds up the proxied region to a whole page. + * This may be a security risk, but is the only way to provide access + * to the final page of the memory region */ + rounded_size = round_page (region->size); + /* Create a new memory object proxy with the required protection */ max_prot = (VM_PROT_READ | VM_PROT_WRITE) & prot; err = vm_region_create_proxy (mach_task_self (), (vm_address_t) node->nn->ln->region_maps[reg_num], - max_prot, region->size, &proxy); + max_prot, rounded_size, &proxy); if (err) goto error; |