|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 02/11] tmem: consistently make pool_id a uint32_t
> From: Jan Beulich [mailto:JBeulich@xxxxxxxx] > Sent: Wednesday, September 05, 2012 6:35 AM > To: xen-devel > Cc: Dan Magenheimer; Zhenzhong Duan > Subject: [PATCH 02/11] tmem: consistently make pool_id a uint32_t > > Treating it as an int could allow a malicious guest to provide a > negative pool_Id, by passing the MAX_POOLS_PER_DOMAIN limit check and > allowing access to the negative offsets of the pool array. > > This is part of XSA-15 / CVE-2012-3497. > > Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx> > Acked-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Dan Magenheimer <dan.magenheimer@xxxxxxxxxx> > --- a/xen/common/tmem.c > +++ b/xen/common/tmem.c > @@ -2417,7 +2417,7 @@ static NOINLINE int tmemc_save_subop(int > return rc; > } > > -static NOINLINE int tmemc_save_get_next_page(int cli_id, int pool_id, > +static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id, > tmem_cli_va_t buf, uint32_t bufsize) > { > client_t *client = tmh_client_from_cli_id(cli_id); > @@ -2509,7 +2509,7 @@ out: > return ret; > } > > -static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp, > +static int tmemc_restore_put_page(int cli_id, uint32_t pool_id, OID *oidp, > uint32_t index, tmem_cli_va_t buf, uint32_t bufsize) > { > client_t *client = tmh_client_from_cli_id(cli_id); > @@ -2521,7 +2521,7 @@ static int tmemc_restore_put_page(int cl > return do_tmem_put(pool,oidp,index,0,0,0,bufsize,buf.p); > } > > -static int tmemc_restore_flush_page(int cli_id, int pool_id, OID *oidp, > +static int tmemc_restore_flush_page(int cli_id, uint32_t pool_id, OID *oidp, > uint32_t index) > { > client_t *client = tmh_client_from_cli_id(cli_id); > > > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |