Returning back truncated frame numbers is unhelpful: Quite likely
they're not owned by the domain (if it's PV), or we may misguide the
guest into writing grant entries into a page that it actually uses for
other purposes.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v2: Drop use of VALID_M2P(). Use "break". Move type change for "frame"
    here (from earlier patch).
---
RFC: Arguably in the 32-bit PV case it may be necessary to instead put
     in place an explicit address restriction when allocating
     ->shared_raw[N]. This is currently implicit by alloc_xenheap_page()
     only returning memory covered by the direct-map.

--- unstable.orig/xen/common/compat/grant_table.c	2022-10-10 11:02:21.198223952 +0200
+++ unstable/xen/common/compat/grant_table.c	2022-10-10 10:31:25.000000000 +0200
@@ -176,7 +176,12 @@ int compat_grant_table_op(
                     { \
                         for ( i = 0; i < (_s_)->nr_frames; ++i ) \
                         { \
-                            unsigned int frame = (_s_)->frame_list.p[i]; \
+                            compat_pfn_t frame = (_s_)->frame_list.p[i]; \
+                            if ( frame != (_s_)->frame_list.p[i] ) \
+                            { \
+                                (_s_)->status = GNTST_address_too_big; \
+                                break; \
+                            } \
                             if ( __copy_to_compat_offset((_d_)->frame_list, \
                                                          i, &frame, 1) ) \
                             { \

On 02/12/2022 09:46, Jan Beulich wrote:
> Returning back truncated frame numbers is unhelpful: Quite likely
> they're not owned by the domain (if it's PV), or we may misguide the
> guest into writing grant entries into a page that it actually uses for
> other purposes.
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>