[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.20] x86/viridian: Enforce bounds check in vpmask_set()



commit 188b66cf0fd7492645b1e77d872f65307d5ce550
Author:     Teddy Astie <teddy.astie@xxxxxxxxxx>
AuthorDate: Tue Oct 21 15:21:59 2025 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Oct 21 15:21:59 2025 +0200

    x86/viridian: Enforce bounds check in vpmask_set()
    
    Callers can pass vp/mask values which exceed the size of vpmask->mask.  
Ensure
    we only set bits which are within bounds.
    
    This is XSA-475 / CVE-2025-58147.
    
    Fixes: b4124682db6e ("viridian: add ExProcessorMasks variants of the flush 
hypercalls")
    Signed-off-by: Teddy Astie <teddy.astie@xxxxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: 36e90c4ef1f2667dc8159c634fb00d393fc2d857
    master date: 2025-10-21 14:09:37 +0200
---
 xen/arch/x86/hvm/viridian/viridian.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/hvm/viridian/viridian.c 
b/xen/arch/x86/hvm/viridian/viridian.c
index 8ff19a00fe..0b614f4d20 100644
--- a/xen/arch/x86/hvm/viridian/viridian.c
+++ b/xen/arch/x86/hvm/viridian/viridian.c
@@ -562,7 +562,8 @@ static void vpmask_set(struct hypercall_vpmask *vpmask, 
unsigned int vp,
 
         if ( mask & 1 )
         {
-            ASSERT(vp < HVM_MAX_VCPUS);
+            if ( vp >= HVM_MAX_VCPUS )
+                break;
             __set_bit(vp, vpmask->mask);
         }
 
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.20



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.