Xen project Mailing List

[Xen-changelog] [xen-4.1-testing] x86: properly check XEN_DOMCTL_ioport_mapping arguments for invalid range

From: Xen patchbot-4.1-testing <patchbot@xxxxxxx>

Date: Thu, 04 Oct 2012 16:11:09 +0000

Delivery-date: Thu, 04 Oct 2012 16:11:18 +0000

List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

# HG changeset patch # User Jan Beulich <jbeulich@xxxxxxxx> # Date 1349339839 -7200 # Node ID ab6d1c5270024005541a2caccad0b518457e510f # Parent 90fcc034c1a89b21631cdffb0248f28c7b3cfe50 x86: properly check XEN_DOMCTL_ioport_mapping arguments for invalid range In particular, the case of "np" being a very large value wasn't handled correctly. The range start checks also were off by one (except that in practice, when "np" is properly range checked, this would still have been caught by the range end checks). Also, is a GFN wrap in XEN_DOMCTL_memory_mapping really okay? Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Keir Fraser <keir@xxxxxxx> xen-unstable changeset: 25927:3e3959413b2f xen-unstable date: Wed Sep 19 07:27:55 UTC 2012 --- diff -r 90fcc034c1a8 -r ab6d1c527002 xen/arch/x86/domctl.c --- a/xen/arch/x86/domctl.c Thu Oct 04 10:35:37 2012 +0200 +++ b/xen/arch/x86/domctl.c Thu Oct 04 10:37:19 2012 +0200 @@ -1015,7 +1015,7 @@ long arch_do_domctl( int found = 0; ret = -EINVAL; - if ( (np == 0) || (fgp > MAX_IOPORTS) || (fmp > MAX_IOPORTS) || + if ( ((fgp | fmp | (np - 1)) >= MAX_IOPORTS) || ((fgp + np) > MAX_IOPORTS) || ((fmp + np) > MAX_IOPORTS) ) { gdprintk(XENLOG_ERR, _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.