|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen master] x86/HVM: bound number of pinned cache attribute regions
commit d484dcca7972794ad70cefd3af73fe0328d610f1
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Mar 21 12:01:01 2023 +0000
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Tue Mar 21 12:07:41 2023 +0000
x86/HVM: bound number of pinned cache attribute regions
This is exposed via DMOP, i.e. to potentially not fully privileged
device models. With that we may not permit registration of an (almost)
unbounded amount of such regions.
This is CVE-2022-42333 / part of XSA-428.
Fixes: 642123c5123f ("x86/hvm: provide XEN_DMOP_pin_memory_cacheattr")
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
xen/arch/x86/hvm/mtrr.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/xen/arch/x86/hvm/mtrr.c b/xen/arch/x86/hvm/mtrr.c
index 344edc2d6a..58f755128c 100644
--- a/xen/arch/x86/hvm/mtrr.c
+++ b/xen/arch/x86/hvm/mtrr.c
@@ -588,6 +588,7 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d, uint64_t
gfn_start,
uint64_t gfn_end, uint32_t type)
{
struct hvm_mem_pinned_cacheattr_range *range;
+ unsigned int nr = 0;
int rc = 1;
if ( !is_hvm_domain(d) )
@@ -659,11 +660,15 @@ int hvm_set_mem_pinned_cacheattr(struct domain *d,
uint64_t gfn_start,
rc = -EBUSY;
break;
}
+ ++nr;
}
rcu_read_unlock(&pinned_cacheattr_rcu_lock);
if ( rc <= 0 )
return rc;
+ if ( nr >= 64 /* The limit is arbitrary. */ )
+ return -ENOSPC;
+
range = xzalloc(struct hvm_mem_pinned_cacheattr_range);
if ( range == NULL )
return -ENOMEM;
--
generated by git-patchbot for /home/xen/git/xen.git#master
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |