|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen stable-4.16] x86/HVM: properly reject "indirect" VRAM writes
commit 134ec0ff63766dcac9eff17ae516c3134bcd33b7
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Nov 12 14:12:18 2024 +0100
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Nov 12 14:12:18 2024 +0100
x86/HVM: properly reject "indirect" VRAM writes
While ->count will only be different from 1 for "indirect" (data in
guest memory) accesses, it being 1 does not exclude the request being an
"indirect" one. Check both to be on the safe side, and bring the ->count
part also in line with what ioreq_send_buffered() actually refuses to
handle.
This is part of XSA-463 / CVE-2024-45818
Fixes: 3bbaaec09b1b ("x86/hvm: unify stdvga mmio intercept with standard
mmio intercept")
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
(cherry picked from commit eb7cd0593d88c4b967a24bca8bd30591966676cd)
---
xen/arch/x86/hvm/stdvga.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xen/arch/x86/hvm/stdvga.c b/xen/arch/x86/hvm/stdvga.c
index b9d7b5a4d9..11f2a92d12 100644
--- a/xen/arch/x86/hvm/stdvga.c
+++ b/xen/arch/x86/hvm/stdvga.c
@@ -498,13 +498,13 @@ static bool_t stdvga_mem_accept(const struct
hvm_io_handler *handler,
spin_lock(&s->lock);
- if ( p->dir == IOREQ_WRITE && p->count > 1 )
+ if ( p->dir == IOREQ_WRITE && (p->data_is_ptr || p->count != 1) )
{
/*
* We cannot return X86EMUL_UNHANDLEABLE on anything other then the
* first cycle of an I/O. So, since we cannot guarantee to always be
* able to send buffered writes, we have to reject any multi-cycle
- * I/O.
+ * or "indirect" I/O.
*/
goto reject;
}
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.16
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |