[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 03/11] tmem: check the pool_id is valid when destroying a tmem pool

To: "xen-devel" <xen-devel@xxxxxxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Wed, 05 Sep 2012 13:35:00 +0100
Cc: dan.magenheimer@xxxxxxxxxx, Zhenzhong Duan <zhenzhong.duan@xxxxxxxxxx>
Delivery-date: Wed, 05 Sep 2012 12:34:43 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

This is part of XSA-15 / CVE-2012-3497.

Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Acked-by: Jan Beulich <jbeulich@xxxxxxxx>

--- a/xen/common/tmem.c
+++ b/xen/common/tmem.c
@@ -1870,6 +1870,8 @@ static NOINLINE int do_tmem_destroy_pool
 
     if ( client->pools == NULL )
         return 0;
+    if ( pool_id >= MAX_POOLS_PER_DOMAIN )
+        return 0;
     if ( (pool = client->pools[pool_id]) == NULL )
         return 0;
     client->pools[pool_id] = NULL;

Attachment: tmem-xsa-15-3
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 03/11] tmem: check the pool_id is valid when destroying a tmem pool
  - From: Dan Magenheimer

Prev by Date: Re: [Xen-devel] [PATCH 0/2] PHYSDEVOP_get_free_pirq adjustments
Next by Date: [Xen-devel] [PATCH 04/11] tmem: check for a valid client ("domain") in the save subops
Previous by thread: [Xen-devel] [PATCH 02/11] tmem: consistently make pool_id a uint32_t
Next by thread: Re: [Xen-devel] [PATCH 03/11] tmem: check the pool_id is valid when destroying a tmem pool
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.