|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] xen/gnttab: Validate input to GNTTABOP_swap_grant_ref
# HG changeset patch
# User Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
# Date 1346844626 -3600
# Node ID 93e5a791d07628225d836af25bcb45f0197e3cac
# Parent 2750340a347da93fa694bbbf60d71b44fe3b0ca7
xen/gnttab: Validate input to GNTTABOP_swap_grant_ref
xen-unstable c/s 24548:d115844ebfbb introduces a new GNTTABOP to swap
grant refs. However, it fails to validate the two refs passed from
the guest.
The result is that passing out-of-range refs can cause Xen to read
past the end of the grant_table->active[] array, and deference
whatever it finds. Typically, this results in Xen trying to deference
a low pointer and fail with a page-fault.
As this hypercall can be issued by an unprivileged guest, this is a
Denial of Service against Xen. This is XSA-18 / CVE-2012-3516.
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Acked-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
---
diff -r 2750340a347d -r 93e5a791d076 xen/common/grant_table.c
--- a/xen/common/grant_table.c Wed Sep 05 12:29:52 2012 +0100
+++ b/xen/common/grant_table.c Wed Sep 05 12:30:26 2012 +0100
@@ -2339,6 +2339,12 @@ __gnttab_swap_grant_ref(grant_ref_t ref_
spin_lock(>->lock);
+ /* Bounds check on the grant refs */
+ if ( unlikely(ref_a >= nr_grant_entries(d->grant_table)))
+ PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a);
+ if ( unlikely(ref_b >= nr_grant_entries(d->grant_table)))
+ PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-b (%d).\n", ref_b);
+
act = &active_entry(gt, ref_a);
if ( act->pin )
PIN_FAIL(out, GNTST_eagain, "ref a %ld busy\n", (long)ref_a);
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |