From nobody Tue May  5 08:52:01 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender) client-ip=192.237.175.120;
 envelope-from=xen-devel-bounces@lists.xenproject.org;
 helo=lists.xenproject.org;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass(p=reject dis=none)  header.from=boeing.com
ARC-Seal: i=1; a=rsa-sha256; t=1776128424; cv=none;
	d=zohomail.com; s=zohoarc;
	b=VGzTQ4cwunTZbVpO6Cn2F0Rmnn9o+0Hu7+ZetCk22wj5kqhWUy5Jk54iOUaaUVB7pTFcrJCf0edqawLolm/b/z3ANRs+lugC4WhuHczwO1BHFnqML1xH3r4l/pKU+wCrFfHHwdz0XWTqvVc1Fq08/0xpVbHuSZfOc940kfFTbhI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1776128424;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=7rRZv4jH4j5UcfT3Vc0EKG1kzDe3IUvMyVRk4LD2oNo=;
	b=BhhCtX5C2ZpxSJg7xjFh9tLTe9MpDnjdpZNlORdN7VIUtTco/Lku+p7mhpN10fK+Rn+f1frz3NhHettXJ006qqIm9mPjTe/j1JFRo2VTFJyU6Y/gyvHB7x8U81Ier5ItaTmFOn5zF5tQcfKMKJd1qJlSzWmPfWdpdbqRNxzI7x8=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of lists.xenproject.org designates
 192.237.175.120 as permitted sender)
  smtp.mailfrom=xen-devel-bounces@lists.xenproject.org;
	dmarc=pass header.from=<joan.bae@boeing.com> (p=reject dis=none)
Return-Path: <xen-devel-bounces@lists.xenproject.org>
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
 by mx.zohomail.com
	with SMTPS id 1776128424863669.2484737976871;
 Mon, 13 Apr 2026 18:00:24 -0700 (PDT)
Received: from list by lists.xenproject.org with
 outflank-mailman.1281376.1564286 (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1wCS87-0006cr-57; Tue, 14 Apr 2026 00:59:51 +0000
Received: by outflank-mailman (output) from mailman id 1281376.1564286;
 Tue, 14 Apr 2026 00:59:51 +0000
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.92)
	(envelope-from <xen-devel-bounces@lists.xenproject.org>)
	id 1wCS87-0006cj-0U; Tue, 14 Apr 2026 00:59:51 +0000
Received: by outflank-mailman (input) for mailman id 1281376;
 Tue, 14 Apr 2026 00:59:49 +0000
Received: from mx.expurgate.net ([195.190.135.10])
 by lists.xenproject.org with esmtp (Exim 4.92)
 (envelope-from <joan.bae@boeing.com>) id 1wCS85-0006cZ-Ho
 for xen-devel@lists.xenproject.org; Tue, 14 Apr 2026 00:59:49 +0000
Received: from mx.expurgate.net (helo=localhost) by mx.expurgate.net with
 esmtp
 id 1wCS84-003pRB-CM
 for xen-devel@lists.xenproject.org; Tue, 14 Apr 2026 02:59:48 +0200
Received: from [10.42.69.8] (helo=localhost)
 by localhost with ESMTP (eXpurgate MTA 0.9.1)
 (envelope-from <joan.bae@boeing.com>)
 id 69dd916a-bab6-0a2a0a5309dd-0a2a4508da3e-10
 for <xen-devel@lists.xenproject.org>; Tue, 14 Apr 2026 02:59:47 +0200
Received: from [130.76.20.195] (helo=ewa-mbsout-02.mbs.boeing.net)
 by tlsNG-c1860d.mxtls.expurgate.net with ESMTPS (eXpurgate 4.56.0)
 (envelope-from <joan.bae@boeing.com>)
 id 69dd9180-fab6-0a2a45080019-824c14c3c1ec-3
 for <xen-devel@lists.xenproject.org>; Tue, 14 Apr 2026 02:59:46 +0200
Received: from localhost (localhost [127.0.0.1])
 by ewa-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP
 id
 63E0xg0S057930; Mon, 13 Apr 2026 17:59:43 -0700
Received: from ewa-av-01.mbs.boeing.net (ewa-av-01.mbs.boeing.net
 [137.137.51.75])
 by ewa-mbsout-02.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with
 ESMTPS id 63E0xV3f057854
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
 Mon, 13 Apr 2026 17:59:31 -0700
Received: from localhost (localhost [127.0.0.1])
 by ewa-av-01.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_RELAY) with SMTP id
 63E0xU3U053066; Mon, 13 Apr 2026 17:59:30 -0700
Received: from A6424298.boeing.com (a6424298.nos.boeing.com [10.191.242.201])
 by ewa-av-01.mbs.boeing.net (8.15.2/8.15.2/UPSTREAM_RELAY) with
 ESMTP id 63E0xKU3052426; Mon, 13 Apr 2026 17:59:21 -0700
X-Outflank-Mailman: Message body and most headers restored to incoming version
X-BeenThere: xen-devel@lists.xenproject.org
List-Id: Xen developer discussion <xen-devel.lists.xenproject.org>
List-Unsubscribe: <https://lists.xenproject.org/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xenproject.org>
List-Help: <mailto:xen-devel-request@lists.xenproject.org?subject=help>
List-Subscribe: <https://lists.xenproject.org/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xenproject.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xenproject.org
Precedence: list
Sender: "Xen-devel" <xen-devel-bounces@lists.xenproject.org>
Authentication-Results: eu.smtp.expurgate.cloud;
 dkim=pass header.s=boeing-s1912 header.d=boeing.com header.i="@boeing.com"
 header.h="From:To:Cc:Subject:Date"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com;
	s=boeing-s1912; t=1776128383;
	bh=7rRZv4jH4j5UcfT3Vc0EKG1kzDe3IUvMyVRk4LD2oNo=;
	h=From:To:Cc:Subject:Date:From;
	b=jtqnKOmjyUOaNazw0e450E7ofcLvt9OZ3PnfW/LsbbZoKcz64p13tA/3fF42bZUV/
	 8ubsBSByQEZ1TRKfnMMT35FWLJn8IjfptQmlNip5BvItsqmr9rPikPgQ1wPIsY7kgj
	 6LjgLMR5vK/DO7I/KfTwOlxTqKt1BNUTvRnrjjTz7CC2WdWsNVcOHuOlSw0nboF0Mo
	 HBJhOSScUKNGabji1VOpKvaC+YphaoWK1aomRq/7NQGFu7v0+N2KNs+yv+YbIM8avk
	 uDqqXv/G3678tSf2umb4jUaomSV1aV/ZLtwj/Ns/dRokHnQrVFgKFmdnfqdHJNUQfy
	 /G8eCr7ZV//ug==
From: Joan Bae <joan.bae@boeing.com>
To: xen-devel@lists.xenproject.org
Cc: Joan Bae <joan.bae@boeing.com>,
        Stefano Stabellini <sstabellini@kernel.org>,
        Julien Grall <julien@xen.org>,
        Bertrand Marquis <bertrand.marquis@arm.com>,
        Michal Orzel <michal.orzel@amd.com>
Subject: [XEN PATCH] xen/common: validate shared memory guest address overlap
 with guest RAM
Date: Tue, 14 Apr 2026 09:59:18 +0900
Message-ID: 
 <59dcd094173791926fff212f3f2b86df50b0dc12.1776060772.git.joan.bae@boeing.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-TM-AS-GCONF: 00
X-purgate-ID: tlsNG-c1860d/1776128387-F4F5A497-0FD6B68A/0/0
X-purgate-type: clean
X-purgate-size: 3546
X-ZohoMail-DKIM: pass (identity @boeing.com)
X-ZM-MESSAGEID: 1776128427825154100
Content-Type: text/plain; charset="utf-8"

Currently, process_shm() does not check whether the guest physical
address of a shared memory region overlaps with the domain's allocated RAM =
banks.
Neither process_shm() nor p2m_set_entry() checks for existing
mappings, so the RAM mapping is silently overwritten if a user
specifies a guest physical address that falls within the guest RAM
range. Since construct_domain() loads the kernel after process_shm(),
the kernel can end up in shared memory pages. This can cause:
- Another domain corrupting the kernel via shared memory write
- Silent guest crash with no error message from Xen

Add a check in process_shm() to validate that the shared memory
guest address range does not overlap with any of the domain's
allocated RAM banks.

Signed-off-by: Joan Bae <joan.bae@boeing.com>
---
 xen/common/device-tree/static-shmem.c | 37 +++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/xen/common/device-tree/static-shmem.c b/xen/common/device-tree=
/static-shmem.c
index 4c4cc1b123..b0ae0304a1 100644
--- a/xen/common/device-tree/static-shmem.c
+++ b/xen/common/device-tree/static-shmem.c
@@ -293,6 +293,31 @@ static bool __init save_map_heap_pages(struct domain *=
d, struct page_info *pg,
     return false;
 }
=20
+static bool __init
+check_shm_guest_paddr_overlap(struct kernel_info *kinfo, paddr_t gbase,
+                                paddr_t size)
+{
+    unsigned int i;
+    const struct membanks *kinfo_mem =3D kernel_info_get_mem_const(kinfo);
+    paddr_t gend =3D gbase + size;
+
+    for ( i =3D 0; i < kinfo_mem->nr_banks; i++ )
+    {
+        paddr_t bankbase =3D kinfo_mem->bank[i].start;
+        paddr_t bankend =3D bankbase + kinfo_mem->bank[i].size;
+
+        /* Check if shared memory overlaps with guest RAM */
+        if ( gbase < bankend && bankbase < gend )
+        {
+            printk("Shared memory guest address 0x%"PRIpaddr" - 0x%"PRIpad=
dr""
+                    " overlaps with guest RAM 0x%"PRIpaddr" - 0x%"PRIpaddr=
"\n",
+                    gbase, gend - 1, bankbase, bankend - 1);
+            return true;
+        }
+    }
+
+    return false;
+}
+
 int __init process_shm(struct domain *d, struct kernel_info *kinfo,
                        const struct dt_device_node *node)
 {
@@ -355,6 +380,12 @@ int __init process_shm(struct domain *d, struct kernel=
_info *kinfo,
             /* guest phys address is after host phys address */
             gbase =3D dt_read_paddr(cells + addr_cells, addr_cells);
=20
+            if ( check_shm_guest_paddr_overlap(kinfo, gbase, psize) )
+            {
+                printk("%pd: shared memory region overlaps with the guest'=
s RAM range\n", d);
+                return -EINVAL;
+            }
+
             if ( is_domain_direct_mapped(d) && (pbase !=3D gbase) )
             {
                 printk("%pd: physical address 0x%"PRIpaddr" and guest addr=
ess 0x%"PRIpaddr" are not direct-mapped.\n",
@@ -396,6 +427,12 @@ int __init process_shm(struct domain *d, struct kernel=
_info *kinfo,
             /* guest phys address is right at the beginning */
             gbase =3D dt_read_paddr(cells, addr_cells);
=20
+            if ( check_shm_guest_paddr_overlap(kinfo, gbase, psize) )
+            {
+                printk("%pd: shared memory region overlaps with the guest'=
s RAM range\n", d);
+                return -EINVAL;
+            }
+
             if ( !alloc_bank )
             {
                 alloc_heap_pages_cb_extra cb_arg =3D { d, role_str, gbase,
--=20
2.43.0