[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 21/22] libxc: range checks in xc_dom_p2m_host and _guest
These functions take guest pfns and look them up in the p2m. They did no range checking. However, some callers, notably xc_dom_boot.c:setup_hypercall_page want to pass untrusted guest-supplied value(s). It is most convenient to detect this here and return INVALID_MFN. This is part of the fix to a security issue, XSA-55. Changes from Xen 4.2 version of this patch: * 4.2 lacks dom->rambase_pfn, so don't add/subtract/check it. Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> --- tools/libxc/xc_dom.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h index 0161459..d801f66 100644 --- a/tools/libxc/xc_dom.h +++ b/tools/libxc/xc_dom.h @@ -331,6 +331,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct xc_dom_image *dom, xen_pfn_t pfn) { if (dom->shadow_enabled) return pfn; + if (pfn >= dom->total_pages) + return INVALID_MFN; return dom->p2m_host[pfn]; } @@ -339,6 +341,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct xc_dom_image *dom, { if (xc_dom_feature_translated(dom)) return pfn; + if (pfn >= dom->total_pages) + return INVALID_MFN; return dom->p2m_host[pfn]; } -- 1.7.2.5 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |