|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.19] x86/viridian: avoid NULL pointer dereference in viridian_synic_deliver_timer_msg()
commit 7fa5a9d64ff9e65f4b3253fbe4b4b1366071de80
Author: Roger Pau Monné <roger.pau@xxxxxxxxxx>
AuthorDate: Tue Sep 9 14:22:58 2025 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Sep 9 14:22:58 2025 +0200
x86/viridian: avoid NULL pointer dereference in
viridian_synic_deliver_timer_msg()
The function is called unconditionally, regardless of whether the SIM page
is mapped. Avoid a NULL pointer dereference in
viridian_synic_deliver_timer_msg() by checking whether the SIM page is
mapped.
This is CVE-2025-58142 / part of XSA-472.
Fixes: 26fba3c85571 ('viridian: add implementation of synthetic timers')
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
master commit: 3a7b4f2897a352cff287be97d27150b290a5d1ee
master date: 2025-09-09 14:11:34 +0200
---
xen/arch/x86/hvm/viridian/synic.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xen/arch/x86/hvm/viridian/synic.c
b/xen/arch/x86/hvm/viridian/synic.c
index c3dc573b00..e6cba7548f 100644
--- a/xen/arch/x86/hvm/viridian/synic.c
+++ b/xen/arch/x86/hvm/viridian/synic.c
@@ -338,6 +338,10 @@ bool viridian_synic_deliver_timer_msg(struct vcpu *v,
unsigned int sintx,
.DeliveryTime = delivery,
};
+ /* Don't assume SIM page to be mapped. */
+ if ( !msg )
+ return false;
+
/*
* To avoid using an atomic test-and-set, and barrier before calling
* vlapic_set_irq(), this function must be called in context of the
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.19
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |