|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] x86: check segment descriptor read result in 64-bit OUTS emulation
commit 0771faba163769089c9f05f7f76b63e397677613
Author: Matthew Daley <mattjd@xxxxxxxxx>
AuthorDate: Thu Oct 10 15:19:53 2013 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Oct 10 15:19:53 2013 +0200
x86: check segment descriptor read result in 64-bit OUTS emulation
When emulating such an operation from a 64-bit context (CS has long
mode set), and the data segment is overridden to FS/GS, the result of
reading the overridden segment's descriptor (read_descriptor) is not
checked. If it fails, data_base is left uninitialized.
This can lead to 8 bytes of Xen's stack being leaked to the guest
(implicitly, i.e. via the address given in a #PF).
Coverity-ID: 1055116
This is CVE-2013-4368 / XSA-67.
Signed-off-by: Matthew Daley <mattjd@xxxxxxxxx>
Fix formatting.
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
xen/arch/x86/traps.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 47c71b7..4a09502 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -1986,10 +1986,10 @@ static int emulate_privileged_op(struct cpu_user_regs
*regs)
break;
}
}
- else
- read_descriptor(data_sel, v, regs,
- &data_base, &data_limit, &ar,
- 0);
+ else if ( !read_descriptor(data_sel, v, regs,
+ &data_base, &data_limit, &ar, 0) ||
+ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) )
+ goto fail;
data_limit = ~0UL;
ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P;
}
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |