[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.7] x86/shadow: Avoid overflowing sh_ctxt->seg_reg[]
commit 0c9b94208f91032a06198d10a307d86a66e9f207 Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Thu Sep 8 14:23:06 2016 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Thu Sep 8 14:23:06 2016 +0200 x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] hvm_get_seg_reg() does not perform a range check on its input segment, calls hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[]. x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG() in {vmx,svm}_get_segment_register(). HVM guests running with shadow paging can end up performing a virtual to linear translation with x86_seg_none. This is used for addresses which are already linear. However, none of this is a legitimate pagetable update, so fail the emulation in such a case. This is XSA-187 / CVE-2016-7094. Reported-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Tim Deegan <tim@xxxxxxx> master commit: a9f3b3bad17d91e2067fc00d51b0302349570d08 master date: 2016-09-08 14:16:26 +0200 --- xen/arch/x86/mm/shadow/common.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index 226e32d..a4f52ee 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -140,9 +140,18 @@ static int hvm_translate_linear_addr( struct sh_emulate_ctxt *sh_ctxt, unsigned long *paddr) { - struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); + struct segment_register *reg; int okay; + /* + * Can arrive here with non-user segments. However, no such cirucmstance + * is part of a legitimate pagetable update, so fail the emulation. + */ + if ( !is_x86_user_segment(seg) ) + return X86EMUL_UNHANDLEABLE; + + reg = hvm_get_seg_reg(seg, sh_ctxt); + okay = hvm_virtual_to_linear_addr( seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.7 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |