|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] x86: restrict XEN_DOMCTL_getmemlist
commit 19f027cc5daff4a37fd0a28bca2514c721852dd0
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Wed Nov 27 09:00:41 2013 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Wed Nov 27 09:00:41 2013 +0100
x86: restrict XEN_DOMCTL_getmemlist
Coverity ID 1055652
(See the code comment.)
This is CVE-2013-4553 / XSA-74.
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Tim Deegan <tim@xxxxxxx>
---
xen/arch/x86/domctl.c | 20 ++++++++++++++++++++
1 files changed, 20 insertions(+), 0 deletions(-)
diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c
index 8644218..ef6c140 100644
--- a/xen/arch/x86/domctl.c
+++ b/xen/arch/x86/domctl.c
@@ -329,6 +329,26 @@ long arch_do_domctl(
break;
}
+ /*
+ * XSA-74: This sub-hypercall is broken in several ways:
+ * - lock order inversion (p2m locks inside page_alloc_lock)
+ * - no preemption on huge max_pfns input
+ * - not (re-)checking d->is_dying with page_alloc_lock held
+ * - not honoring start_pfn input (which libxc also doesn't set)
+ * Additionally it is rather useless, as the result is stale by the
+ * time the caller gets to look at it.
+ * As it only has a single, non-production consumer (xen-mceinj),
+ * rather than trying to fix it we restrict it for the time being.
+ */
+ if ( /* No nested locks inside copy_to_guest_offset(). */
+ paging_mode_external(current->domain) ||
+ /* Arbitrary limit capping processing time. */
+ max_pfns > GB(4) / PAGE_SIZE )
+ {
+ ret = -EOPNOTSUPP;
+ break;
+ }
+
spin_lock(&d->page_alloc_lock);
ret = i = 0;
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |