Xen project Mailing List

[PATCH v2] xen: vm_event: do not do vm_event_op for an invalid domain

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

Date: Tue, 18 Mar 2025 00:39:55 +0000

Accept-language: en-US

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NXv4xU4x+53wBXOUxfeyQ86OQhwSjk5uUNJFUrGsBfY=; b=Pi8cBNLwY65DyXPcxbxXdPbqRbHOcdhNMOuY7yIexFtNY/0vhg2+V8wSxHCUyjAYZ1iwt+KPjGzd7jEhouqk7Oi2DEcG1tZ2F0qacc+bcITt0Ly4e4NXSIPYwEwMRBsNHoQUj/XpdaMC7rIqsGRok/HZxAIExLlr6e8B1oNr05MBmbbLoqqXmn9e5kqM7fkyPPXxzDKUCu6t8E2EYcjqDGgRA33JU26TLlavPP/+CePBtzVfJFV/CaaXmUqj93Bqb0KFq7r2TC2mTDv76y+C+5qpA/9fIOtiPjGDDB+rX4Yf8EJsvQVPEcxRDCD/ntehTFsR1EKfUBOymExULMmXfg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RQRIU+jBy842nAozs8x9qUtArsKU/pMq+B7wIzpJwUxLcbVXjPylMmg+8yb/+bdZQnNzWXAsjHZXlWi3dHpZlZtzpIz3VvYGyFgobCQBdMwTrdjAHkwz6SA1pLlws/f9O8Nmt/GxaZctiRJX7O5ylQsYMAk+QL1iPaDoHaw32VPEafBNh9biQwo70NEPBzw4Aaaa6DGL/vze4XQzqlzkHvQVaVFvOXN9y9Si2GE8CldsDY/IXr18ktvWzYHTDQdDdtJaTVRLoEWPWM7aR9dUYKt2jLyEF/ezPBfWxkH3h28pCPZpwqcht3CUg78kRV+kffi7/tsnsCi15XNdD0+rqQ==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;

Cc: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>, Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Delivery-date: Tue, 18 Mar 2025 00:40:12 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Thread-index: AQHbl55FCdjKP1y9WUaUbohmcfQCbw==

Thread-topic: [PATCH v2] xen: vm_event: do not do vm_event_op for an invalid domain

A privileged domain can issue XEN_DOMCTL_vm_event_op with op->domain == DOMID_INVALID. In this case vm_event_domctl() function will get NULL as the first parameter and this will cause hypervisor panic, as it tries to derefer this pointer. Fix the issue by checking if valid domain is passed in. Fixes: 48b84249459f ("xen/vm-event: Drop unused u_domctl parameter from vm_event_domctl()") Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx> --- This issue was found by the xen fuzzer ([1]) [1] https://lore.kernel.org/all/20250315003544.1101488-1-volodymyr_babchuk@xxxxxxxx/ In v2: - Added Fixes: tag Addressed Andrew's comment: - Don't printk anything - Return -ESRCH instead of -EINVAL - Add comment that describes why do we need this check --- xen/common/vm_event.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c index fbf1aa0848..1666ff615f 100644 --- a/xen/common/vm_event.c +++ b/xen/common/vm_event.c @@ -600,6 +600,10 @@ int vm_event_domctl(struct domain *d, struct xen_domctl_vm_event_op *vec) return 0; } + /* All other subops need to target a real domain. */ + if ( unlikely(d == NULL) ) + return -ESRCH; + rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op); if ( rc ) return rc; -- 2.48.1

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.