[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2] xen: vm_event: do not do vm_event_op for an invalid domain


  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Date: Tue, 18 Mar 2025 00:39:55 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=epam.com; dmarc=pass action=none header.from=epam.com; dkim=pass header.d=epam.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NXv4xU4x+53wBXOUxfeyQ86OQhwSjk5uUNJFUrGsBfY=; b=Pi8cBNLwY65DyXPcxbxXdPbqRbHOcdhNMOuY7yIexFtNY/0vhg2+V8wSxHCUyjAYZ1iwt+KPjGzd7jEhouqk7Oi2DEcG1tZ2F0qacc+bcITt0Ly4e4NXSIPYwEwMRBsNHoQUj/XpdaMC7rIqsGRok/HZxAIExLlr6e8B1oNr05MBmbbLoqqXmn9e5kqM7fkyPPXxzDKUCu6t8E2EYcjqDGgRA33JU26TLlavPP/+CePBtzVfJFV/CaaXmUqj93Bqb0KFq7r2TC2mTDv76y+C+5qpA/9fIOtiPjGDDB+rX4Yf8EJsvQVPEcxRDCD/ntehTFsR1EKfUBOymExULMmXfg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RQRIU+jBy842nAozs8x9qUtArsKU/pMq+B7wIzpJwUxLcbVXjPylMmg+8yb/+bdZQnNzWXAsjHZXlWi3dHpZlZtzpIz3VvYGyFgobCQBdMwTrdjAHkwz6SA1pLlws/f9O8Nmt/GxaZctiRJX7O5ylQsYMAk+QL1iPaDoHaw32VPEafBNh9biQwo70NEPBzw4Aaaa6DGL/vze4XQzqlzkHvQVaVFvOXN9y9Si2GE8CldsDY/IXr18ktvWzYHTDQdDdtJaTVRLoEWPWM7aR9dUYKt2jLyEF/ezPBfWxkH3h28pCPZpwqcht3CUg78kRV+kffi7/tsnsCi15XNdD0+rqQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=epam.com;
  • Cc: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>, Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, Alexandru Isaila <aisaila@xxxxxxxxxxxxxxx>, Petre Pircalabu <ppircalabu@xxxxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Delivery-date: Tue, 18 Mar 2025 00:40:12 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQHbl55FCdjKP1y9WUaUbohmcfQCbw==
  • Thread-topic: [PATCH v2] xen: vm_event: do not do vm_event_op for an invalid domain

A privileged domain can issue XEN_DOMCTL_vm_event_op with
op->domain == DOMID_INVALID. In this case vm_event_domctl()
function will get NULL as the first parameter and this will
cause hypervisor panic, as it tries to derefer this pointer.

Fix the issue by checking if valid domain is passed in.

Fixes: 48b84249459f ("xen/vm-event: Drop unused u_domctl parameter from 
vm_event_domctl()")
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx>

---

This issue was found by the xen fuzzer ([1])

[1] 
https://lore.kernel.org/all/20250315003544.1101488-1-volodymyr_babchuk@xxxxxxxx/

In v2:
 - Added Fixes: tag
Addressed Andrew's comment:
 - Don't printk anything
 - Return -ESRCH instead of -EINVAL
 - Add comment that describes why do we need this check
---
 xen/common/vm_event.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/xen/common/vm_event.c b/xen/common/vm_event.c
index fbf1aa0848..1666ff615f 100644
--- a/xen/common/vm_event.c
+++ b/xen/common/vm_event.c
@@ -600,6 +600,10 @@ int vm_event_domctl(struct domain *d, struct 
xen_domctl_vm_event_op *vec)
         return 0;
     }
 
+    /* All other subops need to target a real domain. */
+    if ( unlikely(d == NULL) )
+        return -ESRCH;
+
     rc = xsm_vm_event_control(XSM_PRIV, d, vec->mode, vec->op);
     if ( rc )
         return rc;
-- 
2.48.1



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.