[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen-unstable] libxc: restore: bounds check for start_info.{store_mfn, console.domU.mfn}

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
From: Xen patchbot-unstable <patchbot@xxxxxxx>
Date: Mon, 23 Jul 2012 19:55:09 +0000
Delivery-date: Mon, 23 Jul 2012 19:55:22 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

# HG changeset patch
# User Ian Campbell <ian.campbell@xxxxxxxxxx>
# Date 1343045378 -3600
# Node ID c1d4d2b87505f749089e9a11fc42287c41b08870
# Parent  bb1b85f2ce981d61b9061f2d25a50583cadb358f
libxc: restore: bounds check for start_info.{store_mfn,console.domU.mfn}

These fields are canonicalised by the guest on suspend and therefore must be
valid pfns during restore.

Reported-by: Jonathan Ludlam <Jonathan.Ludlam@xxxxxxxxxxxxx>
Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Acked-by: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>
Committed-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
---


diff -r bb1b85f2ce98 -r c1d4d2b87505 tools/libxc/xc_domain_restore.c
--- a/tools/libxc/xc_domain_restore.c   Mon Jul 23 13:09:37 2012 +0100
+++ b/tools/libxc/xc_domain_restore.c   Mon Jul 23 13:09:38 2012 +0100
@@ -1912,9 +1912,21 @@ int xc_domain_restore(xc_interface *xch,
             SET_FIELD(start_info, nr_pages, dinfo->p2m_size);
             SET_FIELD(start_info, shared_info, shared_info_frame<<PAGE_SHIFT);
             SET_FIELD(start_info, flags, 0);
+            if ( GET_FIELD(start_info, store_mfn) > dinfo->p2m_size )
+            {
+                ERROR("Suspend record xenstore frame number is bad");
+                munmap(start_info, PAGE_SIZE);
+                goto out;
+            }
             *store_mfn = ctx->p2m[GET_FIELD(start_info, store_mfn)];
             SET_FIELD(start_info, store_mfn, *store_mfn);
             SET_FIELD(start_info, store_evtchn, store_evtchn);
+            if ( GET_FIELD(start_info, console.domU.mfn) > dinfo->p2m_size )
+            {
+                ERROR("Suspend record console frame number is bad");
+                munmap(start_info, PAGE_SIZE);
+                goto out;
+            }
             *console_mfn = ctx->p2m[GET_FIELD(start_info, console.domU.mfn)];
             SET_FIELD(start_info, console.domU.mfn, *console_mfn);
             SET_FIELD(start_info, console.domU.evtchn, console_evtchn);

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

Prev by Date: [Xen-changelog] [xen-unstable] libxl: move bootloader data strucutres and prototypes
Next by Date: [Xen-changelog] [xen-unstable] hotplug: vif: fail if a duplicate vifname is used.
Previous by thread: [Xen-changelog] [xen-unstable] libxl: move bootloader data strucutres and prototypes
Next by thread: [Xen-changelog] [xen-unstable] hotplug: vif: fail if a duplicate vifname is used.
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.