[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.5] grant_table: fix GNTTABOP_cache_flush handling



commit 0b2ceae92fb902df0c07b7a696d5be963b756883
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Tue Sep 12 15:17:22 2017 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 12 15:17:22 2017 +0200

    grant_table: fix GNTTABOP_cache_flush handling
    
    Don't fall over a NULL grant_table pointer when the owner of the domain
    is a system domain (DOMID_{XEN,IO} etc).
    
    This is CVE-2017-14318 / XSA-232.
    
    Reported-by: Matthew Daley <mattd@xxxxxxxxxxx>
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: c3d830b244998b3686e2eb64db95996be5eb5e5c
    master date: 2017-09-12 14:44:11 +0200
---
 xen/common/grant_table.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index f191ed4..fe91538 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -2620,7 +2620,7 @@ static int __gnttab_cache_flush(gnttab_cache_flush_t 
*cflush,
 
     page = mfn_to_page(mfn);
     owner = page_get_owner_and_reference(page);
-    if ( !owner )
+    if ( !owner || !owner->grant_table )
     {
         rcu_unlock_domain(d);
         return -EPERM;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.5

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.