[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging-4.17] x86/viridian: Enforce bounds check in send_ipi()
commit 464e9f4a40c2d72cb88ada20ada3f84b6bd9ee5f Author: Teddy Astie <teddy.astie@xxxxxxxxxx> AuthorDate: Tue Oct 21 15:31:42 2025 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Tue Oct 21 15:31:42 2025 +0200 x86/viridian: Enforce bounds check in send_ipi() Callers can pass in a vpmask which exceeds d->max_vcpus. Prevent out-of-bound reads of d->vcpu[]. This is XSA-475 / CVE-2025-58148. Fixes: 728acba1ba4a ("viridian: use hypercall_vpmask in hvcall_ipi()") Signed-off-by: Teddy Astie <teddy.astie@xxxxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> master commit: cc64c245023c3ff8e388c1c96aed3faed6fd00cb master date: 2025-10-21 14:10:13 +0200 --- xen/arch/x86/hvm/viridian/viridian.c | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/xen/arch/x86/hvm/viridian/viridian.c b/xen/arch/x86/hvm/viridian/viridian.c index 034f64b809..d39464f4a4 100644 --- a/xen/arch/x86/hvm/viridian/viridian.c +++ b/xen/arch/x86/hvm/viridian/viridian.c @@ -577,26 +577,6 @@ static void vpmask_fill(struct hypercall_vpmask *vpmask) bitmap_fill(vpmask->mask, HVM_MAX_VCPUS); } -static unsigned int vpmask_first(const struct hypercall_vpmask *vpmask) -{ - return find_first_bit(vpmask->mask, HVM_MAX_VCPUS); -} - -static unsigned int vpmask_next(const struct hypercall_vpmask *vpmask, - unsigned int vp) -{ - /* - * If vp + 1 > HVM_MAX_VCPUS then find_next_bit() will return - * HVM_MAX_VCPUS, ensuring the for_each_vp ( ... ) loop terminates. - */ - return find_next_bit(vpmask->mask, HVM_MAX_VCPUS, vp + 1); -} - -#define for_each_vp(vpmask, vp) \ - for ( (vp) = vpmask_first(vpmask); \ - (vp) < HVM_MAX_VCPUS; \ - (vp) = vpmask_next(vpmask, vp) ) - static unsigned int vpmask_nr(const struct hypercall_vpmask *vpmask) { return bitmap_weight(vpmask->mask, HVM_MAX_VCPUS); @@ -813,7 +793,7 @@ static void send_ipi(struct hypercall_vpmask *vpmask, uint8_t vector) if ( nr > 1 ) cpu_raise_softirq_batch_begin(); - for_each_vp ( vpmask, vp ) + for_each_set_bit ( vp, vpmask->mask, currd->max_vcpus ) { struct vlapic *vlapic = vcpu_vlapic(currd->vcpu[vp]); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |