Having these point into space not controlled by the hypervisor provides an unnecessary attack surface. Allow architectures to override them and utilize that override to make them non-canonical addresses (thus causing #GP rather than #PF when dereferenced).
Suggested-by: Andrew Cooper <andrew.coop...@citrix.com> Signed-off-by: Jan Beulich <jbeul...@suse.com> --- The security aspect of this makes Andrew and me think this should be considered for 4.5 despite it not fixing an actual bug. --- a/xen/include/asm-x86/config.h +++ b/xen/include/asm-x86/config.h @@ -106,6 +106,10 @@ /* Return value for zero-size _xmalloc(), distinguished from NULL. */ #define ZERO_BLOCK_PTR ((void *)0xBAD0BAD0BAD0BAD0UL) +/* Override include/xen/list.h to make these non-canonical addresses. */ +#define LIST_POISON1 ((void *)0x0100100100100100UL) +#define LIST_POISON2 ((void *)0x0200200200200200UL) + #ifndef __ASSEMBLY__ extern unsigned long trampoline_phys; #define bootsym_phys(sym) \ --- a/xen/include/xen/list.h +++ b/xen/include/xen/list.h @@ -10,12 +10,15 @@ #include <xen/lib.h> #include <asm/system.h> -/* These are non-NULL pointers that will result in page faults - * under normal circumstances, used to verify that nobody uses - * non-initialized list entries. +/* + * These are non-NULL pointers that will result in faults under normal + * circumstances, used to verify that nobody uses non-initialized list + * entries. Architectures can override these. */ +#ifndef LIST_POISON1 #define LIST_POISON1 ((void *) 0x00100100) #define LIST_POISON2 ((void *) 0x00200200) +#endif /* * Simple doubly linked list implementation. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
