|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] ioemu: Fix PVFB backend to limit frame buffer size
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1210840598 -3600
# Node ID 9044705960cb30cec385bdca7305bcf7db096721
# Parent 86587698116d742ff257e64ddfd230157fcee42c
ioemu: Fix PVFB backend to limit frame buffer size
The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly. This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.
Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
---
tools/ioemu/hw/xenfb.c | 1 +
1 files changed, 1 insertion(+)
diff -r 86587698116d -r 9044705960cb tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c Wed May 14 14:12:53 2008 +0100
+++ b/tools/ioemu/hw/xenfb.c Thu May 15 09:36:38 2008 +0100
@@ -502,6 +502,7 @@ static int xenfb_configure_fb(struct xen
fprintf(stderr,
"FB: frontend fb size %zu limited to %zu\n",
fb_len, fb_len_lim);
+ fb_len = fb_len_lim;
}
if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {
fprintf(stderr,
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |