|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging-4.17] x86/viridian: avoid NULL pointer dereference in viridian_synic_deliver_timer_msg()
commit f20f97564437698243f010b1ccba0d77cf5b133f
Author: Roger Pau Monné <roger.pau@xxxxxxxxxx>
AuthorDate: Tue Sep 9 14:27:00 2025 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 9 14:27:00 2025 +0200
x86/viridian: avoid NULL pointer dereference in
viridian_synic_deliver_timer_msg()
The function is called unconditionally, regardless of whether the SIM page
is mapped. Avoid a NULL pointer dereference in
viridian_synic_deliver_timer_msg() by checking whether the SIM page is
mapped.
This is CVE-2025-58142 / part of XSA-472.
Fixes: 26fba3c85571 ('viridian: add implementation of synthetic timers')
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
master commit: 3a7b4f2897a352cff287be97d27150b290a5d1ee
master date: 2025-09-09 14:11:34 +0200
---
xen/arch/x86/hvm/viridian/synic.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xen/arch/x86/hvm/viridian/synic.c
b/xen/arch/x86/hvm/viridian/synic.c
index 856bb898b8..c5bab2d6fd 100644
--- a/xen/arch/x86/hvm/viridian/synic.c
+++ b/xen/arch/x86/hvm/viridian/synic.c
@@ -339,6 +339,10 @@ bool viridian_synic_deliver_timer_msg(struct vcpu *v,
unsigned int sintx,
.DeliveryTime = delivery,
};
+ /* Don't assume SIM page to be mapped. */
+ if ( !msg )
+ return false;
+
/*
* To avoid using an atomic test-and-set, and barrier before calling
* vlapic_set_irq(), this function must be called in context of the
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.17
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |