[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.2] x86/mem_event: validate the response vcpu_id before acting on it
commit b1d8b364c5e90295263d77f0da14127d4197b585 Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Mon Jul 28 15:15:21 2014 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Mon Jul 28 15:15:21 2014 +0200 x86/mem_event: validate the response vcpu_id before acting on it Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Tim Deegan <tim@xxxxxxx> Reviewed-by: Andres Lagar-Cavilla <andres@xxxxxxxxxxxxxxxx> Tested-by: Razvan Cojocaru <rcojocaru@xxxxxxxxxxxxxxx> master commit: ee75480b3c8856db9ef1aa45418f35ec0d78989d master date: 2014-07-23 18:07:11 +0200 --- xen/arch/x86/mm/mem_sharing.c | 11 ++++++++++- xen/arch/x86/mm/p2m.c | 22 ++++++++++++++++++++-- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c index 09703a1..f04034d 100644 --- a/xen/arch/x86/mm/mem_sharing.c +++ b/xen/arch/x86/mm/mem_sharing.c @@ -595,11 +595,20 @@ int mem_sharing_sharing_resume(struct domain *d) /* Get all requests off the ring */ while ( mem_event_get_response(d, &d->mem_event->share, &rsp) ) { + struct vcpu *v; + if ( rsp.flags & MEM_EVENT_FLAG_DUMMY ) continue; + + /* Validate the vcpu_id in the response. */ + if ( (rsp.vcpu_id >= d->max_vcpus) || !d->vcpu[rsp.vcpu_id] ) + continue; + + v = d->vcpu[rsp.vcpu_id]; + /* Unpause domain/vcpu */ if ( rsp.flags & MEM_EVENT_FLAG_VCPU_PAUSED ) - vcpu_unpause(d->vcpu[rsp.vcpu_id]); + vcpu_unpause(v); } return 0; diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index afc6319..1619a79 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -1211,8 +1211,17 @@ void p2m_mem_paging_resume(struct domain *d) /* Pull all responses off the ring */ while( mem_event_get_response(d, &d->mem_event->paging, &rsp) ) { + struct vcpu *v; + if ( rsp.flags & MEM_EVENT_FLAG_DUMMY ) continue; + + /* Validate the vcpu_id in the response. */ + if ( (rsp.vcpu_id >= d->max_vcpus) || !d->vcpu[rsp.vcpu_id] ) + continue; + + v = d->vcpu[rsp.vcpu_id]; + /* Fix p2m entry if the page was not dropped */ if ( !(rsp.flags & MEM_EVENT_FLAG_DROP_PAGE) ) { @@ -1231,7 +1240,7 @@ void p2m_mem_paging_resume(struct domain *d) } /* Unpause domain */ if ( rsp.flags & MEM_EVENT_FLAG_VCPU_PAUSED ) - vcpu_unpause(d->vcpu[rsp.vcpu_id]); + vcpu_unpause(v); } } @@ -1328,11 +1337,20 @@ void p2m_mem_access_resume(struct domain *d) /* Pull all responses off the ring */ while( mem_event_get_response(d, &d->mem_event->access, &rsp) ) { + struct vcpu *v; + if ( rsp.flags & MEM_EVENT_FLAG_DUMMY ) continue; + + /* Validate the vcpu_id in the response. */ + if ( (rsp.vcpu_id >= d->max_vcpus) || !d->vcpu[rsp.vcpu_id] ) + continue; + + v = d->vcpu[rsp.vcpu_id]; + /* Unpause domain */ if ( rsp.flags & MEM_EVENT_FLAG_VCPU_PAUSED ) - vcpu_unpause(d->vcpu[rsp.vcpu_id]); + vcpu_unpause(v); } } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.2 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |