|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-4.1-testing] x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI
# HG changeset patch
# User Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
# Date 1346844596 -3600
# Node ID 936f63ee4dadb832222c029e958ae7c7564ec0e8
# Parent 8ebda5388e4e83a69c73bdd7621e76e1de4fc995
x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI
This is being used as a array index, and hence must be validated before
use.
This is XSA-16 / CVE-2012-3498.
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
diff -r 8ebda5388e4e -r 936f63ee4dad xen/arch/x86/physdev.c
--- a/xen/arch/x86/physdev.c Wed Sep 05 12:29:05 2012 +0100
+++ b/xen/arch/x86/physdev.c Wed Sep 05 12:29:56 2012 +0100
@@ -40,11 +40,18 @@ static int physdev_hvm_map_pirq(
struct hvm_girq_dpci_mapping *girq;
uint32_t machine_gsi = 0;
+ if ( map->index < 0 || map->index >= NR_HVM_IRQS )
+ {
+ ret = -EINVAL;
+ break;
+ }
+
/* find the machine gsi corresponding to the
* emulated gsi */
hvm_irq_dpci = domain_get_irq_dpci(d);
if ( hvm_irq_dpci )
{
+ BUILD_BUG_ON(ARRAY_SIZE(hvm_irq_dpci->girq) < NR_HVM_IRQS);
list_for_each_entry ( girq,
&hvm_irq_dpci->girq[map->index],
list )
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |