[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen stable-4.3] x86: check segment descriptor read result in 64-bit OUTS emulation
commit 889f547790953d30cd88a465aac5954e5f407e53 Author: Matthew Daley <mattjd@xxxxxxxxx> AuthorDate: Thu Oct 10 15:22:55 2013 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Thu Oct 10 15:22:55 2013 +0200 x86: check segment descriptor read result in 64-bit OUTS emulation When emulating such an operation from a 64-bit context (CS has long mode set), and the data segment is overridden to FS/GS, the result of reading the overridden segment's descriptor (read_descriptor) is not checked. If it fails, data_base is left uninitialized. This can lead to 8 bytes of Xen's stack being leaked to the guest (implicitly, i.e. via the address given in a #PF). Coverity-ID: 1055116 This is CVE-2013-4368 / XSA-67. Signed-off-by: Matthew Daley <mattjd@xxxxxxxxx> Fix formatting. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> master commit: 0771faba163769089c9f05f7f76b63e397677613 master date: 2013-10-10 15:19:53 +0200 --- xen/arch/x86/traps.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index 2e6895c..eb426ec 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -1990,10 +1990,10 @@ static int emulate_privileged_op(struct cpu_user_regs *regs) break; } } - else - read_descriptor(data_sel, v, regs, - &data_base, &data_limit, &ar, - 0); + else if ( !read_descriptor(data_sel, v, regs, + &data_base, &data_limit, &ar, 0) || + !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) ) + goto fail; data_limit = ~0UL; ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.3 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |