[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 02/11] tmem: consistently make pool_id a uint32_t
Treating it as an int could allow a malicious guest to provide a negative pool_Id, by passing the MAX_POOLS_PER_DOMAIN limit check and allowing access to the negative offsets of the pool array. This is part of XSA-15 / CVE-2012-3497. Signed-off-by: Ian Campbell <ian.campbell@xxxxxxxxxx> Acked-by: Jan Beulich <jbeulich@xxxxxxxx> --- a/xen/common/tmem.c +++ b/xen/common/tmem.c @@ -2417,7 +2417,7 @@ static NOINLINE int tmemc_save_subop(int return rc; } -static NOINLINE int tmemc_save_get_next_page(int cli_id, int pool_id, +static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id, tmem_cli_va_t buf, uint32_t bufsize) { client_t *client = tmh_client_from_cli_id(cli_id); @@ -2509,7 +2509,7 @@ out: return ret; } -static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp, +static int tmemc_restore_put_page(int cli_id, uint32_t pool_id, OID *oidp, uint32_t index, tmem_cli_va_t buf, uint32_t bufsize) { client_t *client = tmh_client_from_cli_id(cli_id); @@ -2521,7 +2521,7 @@ static int tmemc_restore_put_page(int cl return do_tmem_put(pool,oidp,index,0,0,0,bufsize,buf.p); } -static int tmemc_restore_flush_page(int cli_id, int pool_id, OID *oidp, +static int tmemc_restore_flush_page(int cli_id, uint32_t pool_id, OID *oidp, uint32_t index) { client_t *client = tmh_client_from_cli_id(cli_id); Attachment:
tmem-xsa-15-2 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |