|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-4.1-testing] x86/HVM: range check xen_hvm_set_mem_access.hvmmem_access before use
# HG changeset patch
# User Jan Beulich <jbeulich@xxxxxxxx>
# Date 1354646993 0
# Node ID e7c8ffa11596af038713773d984e3ee1759f4083
# Parent 53ef1f35a0f8cf91c69717c015549532bc6aebe9
x86/HVM: range check xen_hvm_set_mem_access.hvmmem_access before use
Otherwise an out of bounds array access can happen if changing the
default access is being requested, which - if it doesn't crash Xen -
would subsequently allow reading arbitrary memory through
HVMOP_get_mem_access (again, unless that operation crashes Xen).
This is XSA-28 / CVE-2012-5512.
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Acked-by: Tim Deegan <tim@xxxxxxx>
Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
Committed-by: Ian Jackson <ian.jackson.citrix.com>
---
diff -r 53ef1f35a0f8 -r e7c8ffa11596 xen/arch/x86/hvm/hvm.c
--- a/xen/arch/x86/hvm/hvm.c Tue Dec 04 18:49:49 2012 +0000
+++ b/xen/arch/x86/hvm/hvm.c Tue Dec 04 18:49:53 2012 +0000
@@ -3728,7 +3728,7 @@ long do_hvm_op(unsigned long op, XEN_GUE
return rc;
rc = -EINVAL;
- if ( !is_hvm_domain(d) )
+ if ( !is_hvm_domain(d) || a.hvmmem_access >= ARRAY_SIZE(memaccess) )
goto param_fail5;
p2m = p2m_get_hostp2m(d);
@@ -3748,9 +3748,6 @@ long do_hvm_op(unsigned long op, XEN_GUE
((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
goto param_fail5;
- if ( a.hvmmem_access >= ARRAY_SIZE(memaccess) )
- goto param_fail5;
-
for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
{
p2m_type_t t;
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |