[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-4.1-testing] xen: add missing guest address range checks to XENMEM_exchange handlers
# HG changeset patch # User Jan Beulich <jbeulich@xxxxxxxx> # Date 1354646996 0 # Node ID f81286b3be32cc1292d279013ce61e8636dd8cdb # Parent e7c8ffa11596af038713773d984e3ee1759f4083 xen: add missing guest address range checks to XENMEM_exchange handlers Ever since its existence (3.0.3 iirc) the handler for this has been using non address range checking guest memory accessors (i.e. the ones prefixed with two underscores) without first range checking the accessed space (via guest_handle_okay()), allowing a guest to access and overwrite hypervisor memory. This is XSA-29 / CVE-2012-5513. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx> Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Committed-by: Ian Jackson <ian.jackson.citrix.com> --- diff -r e7c8ffa11596 -r f81286b3be32 xen/common/compat/memory.c --- a/xen/common/compat/memory.c Tue Dec 04 18:49:53 2012 +0000 +++ b/xen/common/compat/memory.c Tue Dec 04 18:49:56 2012 +0000 @@ -114,6 +114,12 @@ int compat_memory_op(unsigned int cmd, X (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) return -EINVAL; + if ( !compat_handle_okay(cmp.xchg.in.extent_start, + cmp.xchg.in.nr_extents) || + !compat_handle_okay(cmp.xchg.out.extent_start, + cmp.xchg.out.nr_extents) ) + return -EFAULT; + start_extent = cmp.xchg.nr_exchanged; end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / (((1U << ABS(order_delta)) + 1) * diff -r e7c8ffa11596 -r f81286b3be32 xen/common/memory.c --- a/xen/common/memory.c Tue Dec 04 18:49:53 2012 +0000 +++ b/xen/common/memory.c Tue Dec 04 18:49:56 2012 +0000 @@ -289,6 +289,13 @@ static long memory_exchange(XEN_GUEST_HA goto fail_early; } + if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || + !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) + { + rc = -EFAULT; + goto fail_early; + } + /* Only privileged guests can allocate multi-page contiguous extents. */ if ( !multipage_allocation_permitted(current->domain, exch.in.extent_order) || _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |