[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2] xen: vm_event: do not do vm_event_op for an invalid domain
- To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- From: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
- Date: Tue, 18 Mar 2025 00:39:55 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NXv4xU4x+53wBXOUxfeyQ86OQhwSjk5uUNJFUrGsBfY=; b=Pi8cBNLwY65DyXPcxbxXdPbqRbHOcdhNMOuY7yIexFtNY/0vhg2+V8wSxHCUyjAYZ1iwt+KPjGzd7jEhouqk7Oi2DEcG1tZ2F0qacc+bcITt0Ly4e4NXSIPYwEwMRBsNHoQUj/XpdaMC7rIqsGRok/HZxAIExLlr6e8B1oNr05MBmbbLoqqXmn9e5kqM7fkyPPXxzDKUCu6t8E2EYcjqDGgRA33JU26TLlavPP/+CePBtzVfJFV/CaaXmUqj93Bqb0KFq7r2TC2mTDv76y+C+5qpA/9fIOtiPjGDDB+rX4Yf8EJsvQVPEcxRDCD/ntehTFsR1EKfUBOymExULMmXfg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RQRIU+jBy842nAozs8x9qUtArsKU/pMq+B7wIzpJwUxLcbVXjPylMmg+8yb/+bdZQnNzWXAsjHZXlWi3dHpZlZtzpIz3VvYGyFgobCQBdMwTrdjAHkwz6SA1pLlws/f9O8Nmt/GxaZctiRJX7O5ylQsYMAk+QL1iPaDoHaw32VPEafBNh9biQwo70NEPBzw4Aaaa6DGL/vze4XQzqlzkHvQVaVFvOXN9y9Si2GE8CldsDY/IXr18ktvWzYHTDQdDdtJaTVRLoEWPWM7aR9dUYKt2jLyEF/ezPBfWxkH3h28pCPZpwqcht3CUg78kRV+kffi7/tsnsCi15XNdD0+rqQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
- Cc: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>, Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- Delivery-date: Tue, 18 Mar 2025 00:40:12 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHbl55FCdjKP1y9WUaUbohmcfQCbw==
- Thread-topic: [PATCH v2] xen: vm_event: do not do vm_event_op for an invalid domain
A privileged domain can issue XEN_DOMCTL_vm_event_op with
op->domain == DOMID_INVALID. In this case vm_event_domctl()
function will get NULL as the first parameter and this will
cause hypervisor panic, as it tries to derefer this pointer.
Fix the issue by checking if valid domain is passed in.
Fixes: 48b84249459f ("xen/vm-event: Drop unused u_domctl parameter from
vm_event_domctl()")
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>
---
This issue was found by the xen fuzzer ([1])
[1]
https://lore.kernel.org/all/20250315003544.1101488-1-volodymyr_babchuk@xxxxxxxx/
In v2:
- Added Fixes: tag
Addressed Andrew's comment:
- Don't printk anything
- Return -ESRCH instead of -EINVAL
- Add comment that describes why do we need this check
---
xen/common/vm_event.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c
index fbf1aa0848..1666ff615f 100644
--- a/xen/common/vm_event.c
+++ b/xen/common/vm_event.c
@@ -600,6 +600,10 @@ int vm_event_domctl(struct domain *d, struct
xen_domctl_vm_event_op *vec)
return 0;
}
+ /* All other subops need to target a real domain. */
+ if ( unlikely(d == NULL) )
+ return -ESRCH;
+
rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op);
if ( rc )
return rc;
--
2.48.1
|