[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.8] improve XENMEM_add_to_physmap_batch address checking



commit ae3aac94ff597913180a226a57c5ed9b187dd202
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Wed Dec 20 16:07:45 2017 +0100
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Wed Dec 20 16:07:45 2017 +0100

    improve XENMEM_add_to_physmap_batch address checking
    
    As a follow-up to XSA-212 we should have addressed a similar issue here:
    The handles being advanced at the top of xenmem_add_to_physmap_batch()
    means we allow hypervisor space accesses (in particular, for "errs",
    writes) with suitably crafted input arguments. This isn't a security
    issue in this case because of the limited width of struct
    xen_add_to_physmap_batch's size field: It being 16-bits wide, only the
    r/o M2P area can be accessed. Still we can and should do better.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: 7f080956e9eed821fd42013bef11c1a2873fbeba
    master date: 2017-11-28 13:15:12 +0100
---
 xen/common/memory.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/xen/common/memory.c b/xen/common/memory.c
index e1a8dc3..1770f24 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -805,6 +805,11 @@ static int xenmem_add_to_physmap_batch(struct domain *d,
     guest_handle_add_offset(xatpb->errs, start);
     xatpb->size -= start;
 
+    if ( !guest_handle_okay(xatpb->idxs, xatpb->size) ||
+         !guest_handle_okay(xatpb->gpfns, xatpb->size) ||
+         !guest_handle_okay(xatpb->errs, xatpb->size) )
+        return -EFAULT;
+
     while ( xatpb->size > done )
     {
         xen_ulong_t idx;
@@ -1123,10 +1128,7 @@ long do_memory_op(unsigned long cmd, 
XEN_GUEST_HANDLE_PARAM(void) arg)
         if ( start_extent != (typeof(xatpb.size))start_extent )
             return -EDOM;
 
-        if ( copy_from_guest(&xatpb, arg, 1) ||
-             !guest_handle_okay(xatpb.idxs, xatpb.size) ||
-             !guest_handle_okay(xatpb.gpfns, xatpb.size) ||
-             !guest_handle_okay(xatpb.errs, xatpb.size) )
+        if ( copy_from_guest(&xatpb, arg, 1) )
             return -EFAULT;
 
         /* This mapspace is unsupported for this hypercall. */
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.8

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.