[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 21/22] libxc: range checks in xc_dom_p2m_host and _guest
On 11/06/13 19:21, Ian Jackson wrote: > These functions take guest pfns and look them up in the p2m. They did > no range checking. > > However, some callers, notably xc_dom_boot.c:setup_hypercall_page want > to pass untrusted guest-supplied value(s). It is most convenient to > detect this here and return INVALID_MFN. > > This is part of the fix to a security issue, XSA-55. > > Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> > Cc: Tim Deegan <tim@xxxxxxx> > > v6: Check for underflow too (thanks to Andrew Cooper). > --- > tools/libxc/xc_dom.h | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h > index 5968e7b..86e23ee 100644 > --- a/tools/libxc/xc_dom.h > +++ b/tools/libxc/xc_dom.h > @@ -342,6 +342,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct > xc_dom_image *dom, xen_pfn_t pfn) > { > if (dom->shadow_enabled) > return pfn; > + if (pfn < dom->rambase_pfn || pfn >= dom->rambase_pfn + dom->total_pages) > + return INVALID_MFN; > return dom->p2m_host[pfn - dom->rambase_pfn]; > } > > @@ -350,6 +352,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct > xc_dom_image *dom, > { > if (xc_dom_feature_translated(dom)) > return pfn; > + if (pfn < dom->rambase_pfn || pfn >= dom->rambase_pfn + dom->total_pages) > + return INVALID_MFN; > return dom->p2m_host[pfn - dom->rambase_pfn]; > } > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |