|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 3/4] x86/vPIC: avoid speculative out of bounds accesses
Array indexes used in the I/O port read/write emulation functions are
derived from guest controlled values. Where this is not already done,
restrict their ranges to limit the side effects of speculative execution.
Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
--- a/xen/arch/x86/hvm/vpic.c
+++ b/xen/arch/x86/hvm/vpic.c
@@ -335,7 +335,7 @@ static int vpic_intercept_pic_io(
return X86EMUL_OKAY;
}
- vpic = ¤t->domain->arch.hvm.vpic[port >> 7];
+ vpic = ¤t->domain->arch.hvm.vpic[!!(port & 0x80)];
if ( dir == IOREQ_WRITE )
vpic_ioport_write(vpic, port, (uint8_t)*val);
@@ -448,7 +448,7 @@ void vpic_init(struct domain *d)
void vpic_irq_positive_edge(struct domain *d, int irq)
{
- struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[irq >> 3];
+ struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[!!(irq & 8)];
uint8_t mask = 1 << (irq & 7);
ASSERT(has_vpic(d));
@@ -466,7 +466,7 @@ void vpic_irq_positive_edge(struct domai
void vpic_irq_negative_edge(struct domain *d, int irq)
{
- struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[irq >> 3];
+ struct hvm_hw_vpic *vpic = &d->arch.hvm.vpic[!!(irq & 8)];
uint8_t mask = 1 << (irq & 7);
ASSERT(has_vpic(d));
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |