|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.6] grant_table: fix GNTTABOP_cache_flush handling
commit a8cd2315c9e09e316c3ef9f41867fa8381ea74ad
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Tue Sep 12 15:13:36 2017 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 12 15:13:36 2017 +0200
grant_table: fix GNTTABOP_cache_flush handling
Don't fall over a NULL grant_table pointer when the owner of the domain
is a system domain (DOMID_{XEN,IO} etc).
This is CVE-2017-14318 / XSA-232.
Reported-by: Matthew Daley <mattd@xxxxxxxxxxx>
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
master commit: c3d830b244998b3686e2eb64db95996be5eb5e5c
master date: 2017-09-12 14:44:11 +0200
---
xen/common/grant_table.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 800c5fa..6755728 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -3017,7 +3017,7 @@ static int __gnttab_cache_flush(gnttab_cache_flush_t
*cflush,
page = mfn_to_page(mfn);
owner = page_get_owner_and_reference(page);
- if ( !owner )
+ if ( !owner || !owner->grant_table )
{
rcu_unlock_domain(d);
return -EPERM;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.6
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |