[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.17] x86/viridian: Enforce bounds check in send_ipi()

commit 464e9f4a40c2d72cb88ada20ada3f84b6bd9ee5f
Author:     Teddy Astie <teddy.astie@xxxxxxxxxx>
AuthorDate: Tue Oct 21 15:31:42 2025 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Oct 21 15:31:42 2025 +0200

    x86/viridian: Enforce bounds check in send_ipi()
    
    Callers can pass in a vpmask which exceeds d->max_vcpus.  Prevent 
out-of-bound
    reads of d->vcpu[].
    
    This is XSA-475 / CVE-2025-58148.
    
    Fixes: 728acba1ba4a ("viridian: use hypercall_vpmask in hvcall_ipi()")
    Signed-off-by: Teddy Astie <teddy.astie@xxxxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    master commit: cc64c245023c3ff8e388c1c96aed3faed6fd00cb
    master date: 2025-10-21 14:10:13 +0200
---
 xen/arch/x86/hvm/viridian/viridian.c | 22 +---------------------
 1 file changed, 1 insertion(+), 21 deletions(-)

diff --git a/xen/arch/x86/hvm/viridian/viridian.c 
b/xen/arch/x86/hvm/viridian/viridian.c
index 034f64b809..d39464f4a4 100644
--- a/xen/arch/x86/hvm/viridian/viridian.c
+++ b/xen/arch/x86/hvm/viridian/viridian.c
@@ -577,26 +577,6 @@ static void vpmask_fill(struct hypercall_vpmask *vpmask)
     bitmap_fill(vpmask->mask, HVM_MAX_VCPUS);
 }
 
-static unsigned int vpmask_first(const struct hypercall_vpmask *vpmask)
-{
-    return find_first_bit(vpmask->mask, HVM_MAX_VCPUS);
-}
-
-static unsigned int vpmask_next(const struct hypercall_vpmask *vpmask,
-                                unsigned int vp)
-{
-    /*
-     * If vp + 1 > HVM_MAX_VCPUS then find_next_bit() will return
-     * HVM_MAX_VCPUS, ensuring the for_each_vp ( ... ) loop terminates.
-     */
-    return find_next_bit(vpmask->mask, HVM_MAX_VCPUS, vp + 1);
-}
-
-#define for_each_vp(vpmask, vp) \
-       for ( (vp) = vpmask_first(vpmask); \
-             (vp) < HVM_MAX_VCPUS; \
-             (vp) = vpmask_next(vpmask, vp) )
-
 static unsigned int vpmask_nr(const struct hypercall_vpmask *vpmask)
 {
     return bitmap_weight(vpmask->mask, HVM_MAX_VCPUS);
@@ -813,7 +793,7 @@ static void send_ipi(struct hypercall_vpmask *vpmask, 
uint8_t vector)
     if ( nr > 1 )
         cpu_raise_softirq_batch_begin();
 
-    for_each_vp ( vpmask, vp )
+    for_each_set_bit ( vp, vpmask->mask, currd->max_vcpus )
     {
         struct vlapic *vlapic = vcpu_vlapic(currd->vcpu[vp]);
 
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.17

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.