[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] [LINUX] privcmd: Range-check hypercall index.

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Oct 2006 22:10:14 +0000
Delivery-date: Thu, 02 Nov 2006 13:40:49 -0800
List-id: BK change log <xen-changelog.lists.xensource.com>

# HG changeset patch
# User kfraser@xxxxxxxxxxxxxxxxxxxxx
# Node ID c3b4fef4f751e1fc57b8ee48abf06f1e3e802ce4
# Parent  7e52933a46b183fccd47bc3ac1f1e38c4f699596
[LINUX] privcmd: Range-check hypercall index.
Otherwise, bugs in e.g. libxc may bring the kernel down.
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxxxx>
---
 linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c |   18 ++++++++++--------
 1 files changed, 10 insertions(+), 8 deletions(-)

diff -r 7e52933a46b1 -r c3b4fef4f751 
linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c
--- a/linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c        Mon Oct 30 
13:53:09 2006 +0000
+++ b/linux-2.6-xen-sparse/drivers/xen/privcmd/privcmd.c        Mon Oct 30 
14:04:44 2006 +0000
@@ -53,6 +53,8 @@ static int privcmd_ioctl(struct inode *i
                        return -EFAULT;
 
 #if defined(__i386__)
+               if (hypercall.op >= (PAGE_SIZE >> 5))
+                       break;
                __asm__ __volatile__ (
                        "pushl %%ebx; pushl %%ecx; pushl %%edx; "
                        "pushl %%esi; pushl %%edi; "
@@ -69,21 +71,21 @@ static int privcmd_ioctl(struct inode *i
                        "popl %%ecx; popl %%ebx"
                        : "=a" (ret) : "0" (&hypercall) : "memory" );
 #elif defined (__x86_64__)
-               {
+               if (hypercall.op < (PAGE_SIZE >> 5)) {
                        long ign1, ign2, ign3;
                        __asm__ __volatile__ (
                                "movq %8,%%r10; movq %9,%%r8;"
-                               "shlq $5,%%rax ;"
+                               "shll $5,%%eax ;"
                                "addq $hypercall_page,%%rax ;"
                                "call *%%rax"
                                : "=a" (ret), "=D" (ign1),
                                  "=S" (ign2), "=d" (ign3)
-                               : "0" ((unsigned long)hypercall.op), 
-                               "1" ((unsigned long)hypercall.arg[0]), 
-                               "2" ((unsigned long)hypercall.arg[1]),
-                               "3" ((unsigned long)hypercall.arg[2]), 
-                               "g" ((unsigned long)hypercall.arg[3]),
-                               "g" ((unsigned long)hypercall.arg[4])
+                               : "0" ((unsigned int)hypercall.op),
+                               "1" (hypercall.arg[0]),
+                               "2" (hypercall.arg[1]),
+                               "3" (hypercall.arg[2]),
+                               "g" (hypercall.arg[3]),
+                               "g" (hypercall.arg[4])
                                : "r8", "r10", "memory" );
                }
 #elif defined (__ia64__)

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

Prev by Date: [Xen-changelog] [xen-unstable] [XEN] Add a warning to the i8259 if we generate spurious IRQs. Tidy up
Next by Date: [Xen-changelog] [xen-unstable] [HVM] Fix Qemu-dm serial issues:
Previous by thread: [Xen-changelog] [xen-unstable] [XEN] Add a warning to the i8259 if we generate spurious IRQs. Tidy up
Next by thread: [Xen-changelog] [xen-unstable] [HVM] Fix Qemu-dm serial issues:
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.