[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen master] x86/viridian: avoid NULL pointer dereference in update_reference_tsc()

commit 5776a2e9db0155cfd76388c8197ca7788bb4b361
Author:     Roger Pau Monne <roger.pau@xxxxxxxxxx>
AuthorDate: Thu Jul 10 15:51:40 2025 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 9 14:11:09 2025 +0200

    x86/viridian: avoid NULL pointer dereference in update_reference_tsc()
    
    The function is only called when the MSR has the enabled bit set, but even
    then the page might not be mapped because the guest provided gfn is not
    suitable.
    
    Prevent a NULL pointer dereference in update_reference_tsc() by checking
    whether the page is mapped.
    
    This is CVE-2025-27466 / part of XSA-472.
    
    Fixes: 386b3365221d ('viridian: use viridian_map/unmap_guest_page() for 
reference tsc page')
    Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
---
 xen/arch/x86/hvm/viridian/time.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xen/arch/x86/hvm/viridian/time.c b/xen/arch/x86/hvm/viridian/time.c
index 137577384f..ca6d526f46 100644
--- a/xen/arch/x86/hvm/viridian/time.c
+++ b/xen/arch/x86/hvm/viridian/time.c
@@ -26,6 +26,10 @@ static void update_reference_tsc(const struct domain *d, 
bool initialize)
     HV_REFERENCE_TSC_PAGE *p = rt->ptr;
     uint32_t seq;
 
+    /* Reference TSC page might not be mapped even if the MSR is enabled. */
+    if ( !p )
+        return;
+
     if ( initialize )
         clear_page(p);
 
--
generated by git-patchbot for /home/xen/git/xen.git#master

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.