Returning back truncated frame numbers is unhelpful: Quite likely they're not owned by the domain (if it's PV), or we may misguide the guest into writing grant entries into a page that it actually uses for other purposes.
Signed-off-by: Jan Beulich <[email protected]> --- RFC: Arguably in the 32-bit PV case it may be necessary to instead put in place an explicit address restriction when allocating ->shared_raw[N]. This is currently implicit by alloc_xenheap_page() only returning memory covered by the direct-map. --- a/xen/common/compat/grant_table.c +++ b/xen/common/compat/grant_table.c @@ -175,8 +175,15 @@ int compat_grant_table_op(unsigned int c i < (_s_)->nr_frames; ++i ) \ { \ compat_pfn_t frame = (_s_)->frame_list.p[i]; \ - if ( __copy_to_compat_offset((_d_)->frame_list, \ - i, &frame, 1) ) \ + if ( frame != (_s_)->frame_list.p[i] ) \ + { \ + if ( VALID_M2P((_s_)->frame_list.p[i]) ) \ + (_s_)->status = GNTST_address_too_big; \ + else \ + frame |= 0x80000000U;\ + } \ + else if ( __copy_to_compat_offset((_d_)->frame_list, \ + i, &frame, 1) ) \ (_s_)->status = GNTST_bad_virt_addr; \ } \ } while (0)
