[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] Question Regarding set_gdt
It seems to me that set_gdt in xen/arch/x86/x86_32/mm.c could allow a domain to partially zero a page that it doesn't own: long set_gdt(struct domain *d, unsigned long *frames, unsigned int entries) { /* NB. There are 512 8-byte entries per GDT page. */ int i, nr_pages = (entries + 511) / 512; struct desc_struct *vgdt; vgdt = map_domain_mem(frames[0] << PAGE_SHIFT); memset( vgdt + FIRST_RESERVED_GDT_ENTRY, 0, NR_RESERVED_GDT_ENTRIES*8); /* Check the new GDT. */ for ( i = 0; i < nr_pages; i++ ) { if ( unlikely(frames[i] >= max_page) || unlikely(!get_page_and_type(&frame_table[frames[i]], d, PGT_gdt_page)) ) goto fail; } Xen doesn't seem to check whether the list of pages specified in frames[] belongs to the calling domain until get_page_and_type is called, but Xen zeroes the reserved GDT entries in the first specified page before this. I don't see any checks in do_set_gdt either. Am I missing something, or is this a bug? --Michael Vrable ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |