|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [xen staging] compat/memory: avoid UB shifts in XENMEM_exchange handling
commit 560c51be8f6a88cde43c0a7c8be60158b5725982
Author: Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Tue Apr 22 11:25:23 2025 +0200
Commit: Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Tue Apr 22 11:25:23 2025 +0200
compat/memory: avoid UB shifts in XENMEM_exchange handling
Add an early basic check, yielding the same error code as the more
thorough one the main handler would produce.
Fixes: b8a7efe8528a ("Enable compatibility mode operation for
HYPERVISOR_memory_op")
Reported-by: Manuel Andreas <manuel.andreas@xxxxxx>
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
Reviewed-by: Jason Andryuk <jason.andryuk@xxxxxxx>
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
xen/common/compat/memory.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c
index 45e5fb0e5d..2ec3a3a1db 100644
--- a/xen/common/compat/memory.c
+++ b/xen/common/compat/memory.c
@@ -161,6 +161,11 @@ int compat_memory_op(unsigned int cmd,
XEN_GUEST_HANDLE_PARAM(void) arg)
if ( copy_from_guest(&cmp.xchg, arg, 1) )
return -EFAULT;
+ /* Early coarse check, as max_order() isn't available here. */
+ if ( cmp.xchg.in.extent_order >= BITS_PER_INT ||
+ cmp.xchg.out.extent_order >= BITS_PER_INT )
+ return -EPERM;
+
order_delta = cmp.xchg.out.extent_order - cmp.xchg.in.extent_order;
/* Various sanity checks. */
if ( (cmp.xchg.nr_exchanged > cmp.xchg.in.nr_extents) ||
--
generated by git-patchbot for /home/xen/git/xen.git#staging
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |