|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] defer event channel bucket pointer store until after XSM checks
commit 99b9ab0b3e7f0e7e5786116773cb7b746f3fab87
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Fri Apr 5 09:59:03 2013 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Fri Apr 5 09:59:03 2013 +0200
defer event channel bucket pointer store until after XSM checks
Otherwise a dangling pointer can be left, which would cause subsequent
memory corruption as soon as the space got re-allocated for some other
purpose.
This is CVE-2013-1920 / XSA-47.
Reported-by: Wei Liu <wei.liu2@xxxxxxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Tim Deegan <tim@xxxxxxx>
---
xen/common/event_channel.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c
index a0f293f..0a6684c 100644
--- a/xen/common/event_channel.c
+++ b/xen/common/event_channel.c
@@ -140,7 +140,6 @@ static int get_free_port(struct domain *d)
chn = xzalloc_array(struct evtchn, EVTCHNS_PER_BUCKET);
if ( unlikely(chn == NULL) )
return -ENOMEM;
- bucket_from_port(d, port) = chn;
for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ )
{
@@ -153,6 +152,8 @@ static int get_free_port(struct domain *d)
}
}
+ bucket_from_port(d, port) = chn;
+
return port;
}
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |