Xen project Mailing List

[Xen-changelog] [xen master] x86/32on64: properly honor add-to-physmap-batch's size

Date: Fri, 28 Apr 2017 14:01:03 +0000

Delivery-date: Fri, 28 Apr 2017 14:01:08 +0000

List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xen.org>

commit 144aec4140515c53bb1676df71a469f3e285c557 Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Wed Apr 26 09:48:45 2017 +0200 Commit: Jan Beulich <jbeulich@xxxxxxxx> CommitDate: Wed Apr 26 09:48:45 2017 +0200 x86/32on64: properly honor add-to-physmap-batch's size Commit 407a3c00ff ("compat/memory: fix build with old gcc") "fixed" a build issue by switching to the use of uninitialized data. Due to - the bounding of the uninitialized data item - the accessed area being outside of Xen space - arguments being properly verified by the native hypercall function this is not a security issue. Reported-by: Marek Marczykowski-GÃ³recki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx> Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx> Release-acked-by: Julien Grall <julien.grall@xxxxxxx> --- xen/common/compat/memory.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c index a37a948..35bb259 100644 --- a/xen/common/compat/memory.c +++ b/xen/common/compat/memory.c @@ -251,7 +251,7 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat) unsigned int limit = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.atpb)) / (sizeof(nat.atpb->idxs.p) + sizeof(nat.atpb->gpfns.p)); /* Use an intermediate variable to suppress warnings on old gcc: */ - unsigned int size = cmp.atpb.size; + unsigned int size; xen_ulong_t *idxs = (void *)(nat.atpb + 1); xen_pfn_t *gpfns = (void *)(idxs + limit); /* @@ -262,8 +262,10 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat) enum XLAT_add_to_physmap_batch_u u = XLAT_add_to_physmap_batch_u_res0; - if ( copy_from_guest(&cmp.atpb, compat, 1) || - !compat_handle_okay(cmp.atpb.idxs, size) || + if ( copy_from_guest(&cmp.atpb, compat, 1) ) + return -EFAULT; + size = cmp.atpb.size; + if ( !compat_handle_okay(cmp.atpb.idxs, size) || !compat_handle_okay(cmp.atpb.gpfns, size) || !compat_handle_okay(cmp.atpb.errs, size) ) return -EFAULT; -- generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx https://lists.xenproject.org/xen-changelog

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.