|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-4.1-testing] x86/physdev: Range check pirq parameter from guests
# HG changeset patch
# User Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
# Date 1352892906 0
# Node ID 210f16b6509b7462481da2e64e4fe20efcdb899d
# Parent 701f5e3321c13e2b07708dcdc224472051038ca4
x86/physdev: Range check pirq parameter from guests
Otherwise Xen will read beyond either end of the struct
domain.arch.pirq_emuirq array, usually resulting in a fatal page fault.
This vulnerability was introduced by c/s 23241:d21100f1d00e, which adds
a call to domain_pirq_to_emuirq() which uses the guest provided pirq
value before range checking it, and was fixed by c/s 23573:584c2e5e03d9
which changed the behaviour of the domain_pirq_to_emuirq() macro to use
radix trees instead of a flat array.
This is XSA-21 / CVE-2012-4536.
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Acked-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Committed-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
---
diff -r 701f5e3321c1 -r 210f16b6509b xen/arch/x86/physdev.c
--- a/xen/arch/x86/physdev.c Wed Nov 14 11:33:36 2012 +0000
+++ b/xen/arch/x86/physdev.c Wed Nov 14 11:35:06 2012 +0000
@@ -234,6 +234,10 @@ static int physdev_unmap_pirq(struct phy
if ( ret )
return ret;
+ ret = -EINVAL;
+ if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs )
+ goto free_domain;
+
if ( is_hvm_domain(d) )
{
spin_lock(&d->event_lock);
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |