[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.1] defer event channel bucket pointer store until after XSM checks



commit b10b4af626d95cd432576cad0e2f500769c1e002
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Fri Apr 5 10:04:03 2013 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Fri Apr 5 10:04:03 2013 +0200

    defer event channel bucket pointer store until after XSM checks
    
    Otherwise a dangling pointer can be left, which would cause subsequent
    memory corruption as soon as the space got re-allocated for some other
    purpose.
    
    This is CVE-2013-1920 / XSA-47.
    
    Reported-by: Wei Liu <wei.liu2@xxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Tim Deegan <tim@xxxxxxx>
    master commit: 99b9ab0b3e7f0e7e5786116773cb7b746f3fab87
    master date: 2013-04-05 09:59:03 +0200
---
 xen/common/event_channel.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
index fee9a7a..5c7bdb6 100644
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -104,7 +104,6 @@ static int get_free_port(struct domain *d)
     if ( unlikely(chn == NULL) )
         return -ENOMEM;
     memset(chn, 0, EVTCHNS_PER_BUCKET * sizeof(*chn));
-    bucket_from_port(d, port) = chn;
 
     for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
     {
@@ -117,6 +116,8 @@ static int get_free_port(struct domain *d)
         }
     }
 
+    bucket_from_port(d, port) = chn;
+
     return port;
 }
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.1

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.