[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.17] x86/viridian: Enforce bounds check in vpmask_set()

commit 17bfa36a41c82af904fba99f120ddacc862f4b1f
Author:     Teddy Astie <teddy.astie@xxxxxxxxxx>
AuthorDate: Tue Oct 21 15:31:25 2025 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Oct 21 15:31:25 2025 +0200

    x86/viridian: Enforce bounds check in vpmask_set()
    
    Callers can pass vp/mask values which exceed the size of vpmask->mask.  
Ensure
    we only set bits which are within bounds.
    
    This is XSA-475 / CVE-2025-58147.
    
    Fixes: b4124682db6e ("viridian: add ExProcessorMasks variants of the flush 
hypercalls")
    Signed-off-by: Teddy Astie <teddy.astie@xxxxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: 36e90c4ef1f2667dc8159c634fb00d393fc2d857
    master date: 2025-10-21 14:09:37 +0200
---
 xen/arch/x86/hvm/viridian/viridian.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/hvm/viridian/viridian.c 
b/xen/arch/x86/hvm/viridian/viridian.c
index 372a749ab9..034f64b809 100644
--- a/xen/arch/x86/hvm/viridian/viridian.c
+++ b/xen/arch/x86/hvm/viridian/viridian.c
@@ -562,7 +562,8 @@ static void vpmask_set(struct hypercall_vpmask *vpmask, 
unsigned int vp,
 
         if ( mask & 1 )
         {
-            ASSERT(vp < HVM_MAX_VCPUS);
+            if ( vp >= HVM_MAX_VCPUS )
+                break;
             __set_bit(vp, vpmask->mask);
         }
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.17

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.