|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.20] x86/viridian: avoid NULL pointer dereference in update_reference_tsc()
commit 5f83f721fb62bc59505f07150af23a12ad90a711
Author: Roger Pau Monné <roger.pau@xxxxxxxxxx>
AuthorDate: Tue Sep 9 14:20:46 2025 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 9 14:20:46 2025 +0200
x86/viridian: avoid NULL pointer dereference in update_reference_tsc()
The function is only called when the MSR has the enabled bit set, but even
then the page might not be mapped because the guest provided gfn is not
suitable.
Prevent a NULL pointer dereference in update_reference_tsc() by checking
whether the page is mapped.
This is CVE-2025-27466 / part of XSA-472.
Fixes: 386b3365221d ('viridian: use viridian_map/unmap_guest_page() for
reference tsc page')
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
master commit: 5776a2e9db0155cfd76388c8197ca7788bb4b361
master date: 2025-09-09 14:11:09 +0200
---
xen/arch/x86/hvm/viridian/time.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xen/arch/x86/hvm/viridian/time.c b/xen/arch/x86/hvm/viridian/time.c
index 137577384f..ca6d526f46 100644
--- a/xen/arch/x86/hvm/viridian/time.c
+++ b/xen/arch/x86/hvm/viridian/time.c
@@ -26,6 +26,10 @@ static void update_reference_tsc(const struct domain *d,
bool initialize)
HV_REFERENCE_TSC_PAGE *p = rt->ptr;
uint32_t seq;
+ /* Reference TSC page might not be mapped even if the MSR is enabled. */
+ if ( !p )
+ return;
+
if ( initialize )
clear_page(p);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.20
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |