[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 21/22] libxc: range checks in xc_dom_p2m_host and _guest



On 11/06/13 19:21, Ian Jackson wrote:
> These functions take guest pfns and look them up in the p2m.  They did
> no range checking.
>
> However, some callers, notably xc_dom_boot.c:setup_hypercall_page want
> to pass untrusted guest-supplied value(s).  It is most convenient to
> detect this here and return INVALID_MFN.
>
> This is part of the fix to a security issue, XSA-55.
>
> Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

> Cc: Tim Deegan <tim@xxxxxxx>
>
> v6: Check for underflow too (thanks to Andrew Cooper).
> ---
>  tools/libxc/xc_dom.h |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
> index 5968e7b..86e23ee 100644
> --- a/tools/libxc/xc_dom.h
> +++ b/tools/libxc/xc_dom.h
> @@ -342,6 +342,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct 
> xc_dom_image *dom, xen_pfn_t pfn)
>  {
>      if (dom->shadow_enabled)
>          return pfn;
> +    if (pfn < dom->rambase_pfn || pfn >= dom->rambase_pfn + dom->total_pages)
> +        return INVALID_MFN;
>      return dom->p2m_host[pfn - dom->rambase_pfn];
>  }
>  
> @@ -350,6 +352,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct 
> xc_dom_image *dom,
>  {
>      if (xc_dom_feature_translated(dom))
>          return pfn;
> +    if (pfn < dom->rambase_pfn || pfn >= dom->rambase_pfn + dom->total_pages)
> +        return INVALID_MFN;
>      return dom->p2m_host[pfn - dom->rambase_pfn];
>  }
>  


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.