[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.6] x86/32on64: properly honor add-to-physmap-batch's size



commit d48df033095afadd82435e591ce66433bc6d3be2
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Fri Jun 9 13:54:27 2017 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Fri Jun 9 13:54:27 2017 +0200

    x86/32on64: properly honor add-to-physmap-batch's size
    
    Commit 407a3c00ff ("compat/memory: fix build with old gcc") "fixed" a
    build issue by switching to the use of uninitialized data. Due to
    - the bounding of the uninitialized data item
    - the accessed area being outside of Xen space
    - arguments being properly verified by the native hypercall function
    this is not a security issue.
    
    Reported-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: 144aec4140515c53bb1676df71a469f3e285c557
    master date: 2017-04-26 09:48:45 +0200
---
 xen/common/compat/memory.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c
index a31fa9b..8e257a0 100644
--- a/xen/common/compat/memory.c
+++ b/xen/common/compat/memory.c
@@ -249,12 +249,14 @@ int compat_memory_op(unsigned int cmd, 
XEN_GUEST_HANDLE_PARAM(void) compat)
             unsigned int limit = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.atpb))
                                  / (sizeof(nat.atpb->idxs.p) + 
sizeof(nat.atpb->gpfns.p));
             /* Use an intermediate variable to suppress warnings on old gcc: */
-            unsigned int size = cmp.atpb.size;
+            unsigned int size;
             xen_ulong_t *idxs = (void *)(nat.atpb + 1);
             xen_pfn_t *gpfns = (void *)(idxs + limit);
 
-            if ( copy_from_guest(&cmp.atpb, compat, 1) ||
-                 !compat_handle_okay(cmp.atpb.idxs, size) ||
+            if ( copy_from_guest(&cmp.atpb, compat, 1) )
+                return -EFAULT;
+            size = cmp.atpb.size;
+            if ( !compat_handle_okay(cmp.atpb.idxs, size) ||
                  !compat_handle_okay(cmp.atpb.gpfns, size) ||
                  !compat_handle_okay(cmp.atpb.errs, size) )
                 return -EFAULT;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.