[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI


  • To: xen-changelog@xxxxxxxxxxxxxxxxxxx
  • From: Xen patchbot-unstable <patchbot@xxxxxxx>
  • Date: Thu, 06 Sep 2012 14:11:09 +0000
  • Delivery-date: Thu, 06 Sep 2012 14:11:22 +0000
  • List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

# HG changeset patch
# User Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
# Date 1346844592 -3600
# Node ID 2750340a347da93fa694bbbf60d71b44fe3b0ca7
# Parent  bcf58ef63b7c844fe431eb9e394fc1ea5dd437c4
x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI

This is being used as a array index, and hence must be validated before
use.

This is XSA-16 / CVE-2012-3498.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---


diff -r bcf58ef63b7c -r 2750340a347d xen/arch/x86/physdev.c
--- a/xen/arch/x86/physdev.c    Wed Sep 05 12:29:03 2012 +0100
+++ b/xen/arch/x86/physdev.c    Wed Sep 05 12:29:52 2012 +0100
@@ -42,11 +42,18 @@ static int physdev_hvm_map_pirq(
         struct hvm_girq_dpci_mapping *girq;
         uint32_t machine_gsi = 0;
 
+        if ( *index < 0 || *index >= NR_HVM_IRQS )
+        {
+            ret = -EINVAL;
+            break;
+        }
+
         /* find the machine gsi corresponding to the
          * emulated gsi */
         hvm_irq_dpci = domain_get_irq_dpci(d);
         if ( hvm_irq_dpci )
         {
+            BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
             list_for_each_entry ( girq,
                                   &hvm_irq_dpci->girq[*index],
                                   list )

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.