[Xen-devel] [PATCH] ioemu: Fix PVFB backend to limit frame buffer size

[Markus Armbruster <armbru@xxxxxxxxxx>]

The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly.  This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.

Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

diff -r 53195719f762 tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c    Tue May 13 15:08:17 2008 +0100
+++ b/tools/ioemu/hw/xenfb.c    Thu May 15 09:37:18 2008 +0200
@@ -502,6 +502,7 @@ static int xenfb_configure_fb(struct xen
                fprintf(stderr,
                        "FB: frontend fb size %zu limited to %zu\n",
                        fb_len, fb_len_lim);
+               fb_len = fb_len_lim;
        }
        if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {
                fprintf(stderr,

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel