|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-3.2-testing] ioemu: Fix PVFB backend to limit frame buffer size
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1210841612 -3600
# Node ID 57cfcbe761b8aeb03f430c828e25a400d7a9b2d6
# Parent 11dc8a6ba4a5309de982d1ecc25f15e0412449ea
ioemu: Fix PVFB backend to limit frame buffer size
The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly. This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.
Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
xen-unstable changeset: 17643:9044705960cb30cec385bdca7305bcf7db096721
xen-unstable date: Thu May 15 09:36:38 2008 +0100
---
tools/ioemu/hw/xenfb.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletion(-)
diff -r 11dc8a6ba4a5 -r 57cfcbe761b8 tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c Thu May 15 09:47:41 2008 +0100
+++ b/tools/ioemu/hw/xenfb.c Thu May 15 09:53:32 2008 +0100
@@ -481,9 +481,15 @@ static int xenfb_configure_fb(struct xen
size_t mfn_sz = sizeof(*((struct xenfb_page *)0)->pd);
size_t pd_len = sizeof(((struct xenfb_page *)0)->pd) / mfn_sz;
size_t fb_pages = pd_len * XC_PAGE_SIZE / mfn_sz;
- size_t fb_len_max = fb_pages * XC_PAGE_SIZE;
+ size_t fb_len_lim = fb_pages * XC_PAGE_SIZE;
int max_width, max_height;
+ if (fb_len > fb_len_lim) {
+ fprintf(stderr,
+ "FB: frontend fb size %zu limited to %zu\n",
+ fb_len, fb_len_lim);
+ fb_len = fb_len_lim;
+ }
if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {
fprintf(stderr,
"FB: can't handle frontend fb depth %d\n",
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |