[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 23/23] libxc: Better range check in xc_dom_alloc_segment
If seg->pfn is too large, the arithmetic in the range check might overflow, defeating the range check. This is part of the fix to a security issue, XSA-55. Signed-off-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> --- tools/libxc/xc_dom_core.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c index 5f188c1..3df7171 100644 --- a/tools/libxc/xc_dom_core.c +++ b/tools/libxc/xc_dom_core.c @@ -511,7 +511,8 @@ int xc_dom_alloc_segment(struct xc_dom_image *dom, seg->vstart = start; seg->pfn = (seg->vstart - dom->parms.virt_base) / page_size; - if ( pages > dom->total_pages || /* double test avoids overflow probs */ + if ( pages > dom->total_pages || /* multiple test avoids overflow probs */ + seg->pfn > dom->total_pages || pages > dom->total_pages - seg->pfn) { xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY, -- 1.7.2.5 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |