[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] grant_table: fix GNTTABOP_cache_flush handling
commit c3d830b244998b3686e2eb64db95996be5eb5e5c Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> AuthorDate: Tue Sep 12 14:44:11 2017 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Sep 12 14:44:11 2017 +0200 grant_table: fix GNTTABOP_cache_flush handling Don't fall over a NULL grant_table pointer when the owner of the domain is a system domain (DOMID_{XEN,IO} etc). This is CVE-2017-14318 / XSA-232. Reported-by: Matthew Daley <mattd@xxxxxxxxxxx> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx> --- xen/common/grant_table.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index fb3859c..c3895e6 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -3046,7 +3046,7 @@ static int cache_flush(gnttab_cache_flush_t *cflush, grant_ref_t *cur_ref) page = mfn_to_page(mfn); owner = page_get_owner_and_reference(page); - if ( !owner ) + if ( !owner || !owner->grant_table ) { rcu_unlock_domain(d); return -EPERM; -- generated by git-patchbot for /home/xen/git/xen.git#master _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |