[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] [IA64] Check slot for itr.d and itr.i and generate interrupt in case of error.

# HG changeset patch
# User Alex Williamson <alex.williamson@xxxxxx>
# Date 1190048367 21600
# Node ID 487df63c4ae9235163f041fbf2a1d8af657630a9
# Parent  b5488dee14af39dc57fa68a5f553617c315bf86b
[IA64] Check slot for itr.d and itr.i and generate interrupt in case of error.

This avoids a buffer overflow in Xen.

Signed-off-by: Tristan Gingold <tgingold@xxxxxxx>
---
 xen/arch/ia64/vmx/vmmu.c     |   12 ++++++++++++
 xen/arch/ia64/vmx/vmx_virt.c |   20 ++++++++++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff -r b5488dee14af -r 487df63c4ae9 xen/arch/ia64/vmx/vmmu.c
--- a/xen/arch/ia64/vmx/vmmu.c  Mon Sep 17 09:28:58 2007 -0600
+++ b/xen/arch/ia64/vmx/vmmu.c  Mon Sep 17 10:59:27 2007 -0600
@@ -403,6 +403,12 @@ IA64FAULT vmx_vcpu_itr_i(VCPU *vcpu, u64
     }
     thash_purge_entries(vcpu, va, ps);
 #endif
+
+    if (slot >= NITRS) {
+        panic_domain(NULL, "bad itr.i slot (%ld)", slot);
+        return IA64_FAULT;
+    }
+        
     pte &= ~PAGE_FLAGS_RV_MASK;
     vcpu_get_rr(vcpu, va, &rid);
     rid = rid& RR_RID_MASK;
@@ -431,6 +437,12 @@ IA64FAULT vmx_vcpu_itr_d(VCPU *vcpu, u64
         return IA64_FAULT;
     }
 #endif   
+
+    if (slot >= NDTRS) {
+        panic_domain(NULL, "bad itr.d slot (%ld)", slot);
+        return IA64_FAULT;
+    }
+
     pte &= ~PAGE_FLAGS_RV_MASK;
 
     /* This is a bad workaround
diff -r b5488dee14af -r 487df63c4ae9 xen/arch/ia64/vmx/vmx_virt.c
--- a/xen/arch/ia64/vmx/vmx_virt.c      Mon Sep 17 09:28:58 2007 -0600
+++ b/xen/arch/ia64/vmx/vmx_virt.c      Mon Sep 17 10:59:27 2007 -0600
@@ -567,6 +567,7 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vc
 static IA64FAULT vmx_emul_itr_d(VCPU *vcpu, INST64 inst)
 {
     u64 itir, ifa, pte, slot;
+    ISR isr;
 #ifdef  VMAL_NO_FAULT_CHECK
     IA64_PSR  vpsr;
     vpsr.val=vmx_vcpu_get_psr(vcpu);
@@ -575,7 +576,6 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vc
         illegal_op(vcpu);
         return IA64_FAULT;
     }
-    ISR isr;
     if ( vpsr.cpl != 0) {
         /* Inject Privileged Operation fault into guest */
         set_privileged_operation_isr (vcpu, 0);
@@ -618,14 +618,22 @@ static IA64FAULT vmx_emul_itr_d(VCPU *vc
    }
 #endif // VMAL_NO_FAULT_CHECK
 
+    if (slot >= NDTRS) {
+        isr.val = set_isr_ei_ni(vcpu);
+        isr.code = IA64_RESERVED_REG_FAULT;
+        vcpu_set_isr(vcpu, isr.val);
+        rsv_reg_field(vcpu);
+        return IA64_FAULT;
+    }
+
     return (vmx_vcpu_itr_d(vcpu,slot,pte,itir,ifa));
 }
 
 static IA64FAULT vmx_emul_itr_i(VCPU *vcpu, INST64 inst)
 {
     u64 itir, ifa, pte, slot;
-#ifdef  VMAL_NO_FAULT_CHECK
     ISR isr;
+#ifdef  VMAL_NO_FAULT_CHECK
     IA64_PSR  vpsr;
     vpsr.val=vmx_vcpu_get_psr(vcpu);
     if ( vpsr.ic ) {
@@ -675,6 +683,14 @@ static IA64FAULT vmx_emul_itr_i(VCPU *vc
    }
 #endif // VMAL_NO_FAULT_CHECK
 
+    if (slot >= NITRS) {
+        isr.val = set_isr_ei_ni(vcpu);
+        isr.code = IA64_RESERVED_REG_FAULT;
+        vcpu_set_isr(vcpu, isr.val);
+        rsv_reg_field(vcpu);
+        return IA64_FAULT;
+    }
+ 
    return (vmx_vcpu_itr_i(vcpu,slot,pte,itir,ifa));
 }
 

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.