[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.5] gnttab: add missing version check to GNTTABOP_swap_grant_ref handling



commit fcfbdb43336a8c1f1c9f34940eeb5fab4ef1760c
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Thu Jun 11 14:56:38 2015 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Thu Jun 11 14:56:38 2015 +0200

    gnttab: add missing version check to GNTTABOP_swap_grant_ref handling
    
    ... avoiding NULL derefs when the version to use wasn't set yet (via
    GNTTABOP_setup_table or GNTTABOP_set_version).
    
    This is CVE-2015-4163 / XSA-134.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
    master commit: 5d5c09d853d3f212861f70c577c65d1703f752ae
    master date: 2015-06-11 14:44:12 +0200
---
 xen/common/grant_table.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index fe52b63..935034c 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -2449,6 +2449,9 @@ __gnttab_swap_grant_ref(grant_ref_t ref_a, grant_ref_t 
ref_b)
 
     spin_lock(&gt->lock);
 
+    if ( gt->gt_version == 0 )
+        PIN_FAIL(out, GNTST_general_error, "grant table not yet set up\n");
+
     /* Bounds check on the grant refs */
     if ( unlikely(ref_a >= nr_grant_entries(d->grant_table)))
         PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a);
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.5

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.