On Wed, 2019-02-20 at 20:15 +0000, Joao Martins wrote:
> +static int kvm_xen_shared_info_init(struct kvm *kvm, gfn_t gfn)
> +{
> + struct shared_info *shared_info;
> + struct page *page;
> +
> + page = gfn_to_page(kvm, gfn);
> + if (is_error_page(page))
> + return -EINVAL;
> +
> + kvm->arch.xen.shinfo_addr = gfn;
> +
> + shared_info = page_to_virt(page);
> + memset(shared_info, 0, sizeof(struct shared_info));
> + kvm->arch.xen.shinfo = shared_info;
> + return 0;
> +}
> +
Hm.
How come we get to pin the page and directly dereference it every time,
while kvm_setup_pvclock_page() has to use kvm_write_guest_cached()
instead?
If that was allowed, wouldn't it have been a much simpler fix for
CVE-2019-3016? What am I missing?
Should I rework these to use kvm_write_guest_cached()?
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
