diff options
author | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-11-14 11:35:06 +0000 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-11-14 11:35:06 +0000 |
commit | 50d1a7fea0a60cd66733cfd8666a95f00d586549 (patch) | |
tree | fe0e65652b6deafd04041170b503c7d9d9c241bf | |
parent | f2e0eab9afae9245f38a31deeafe90953d63ea07 (diff) | |
download | xen-50d1a7fea0a60cd66733cfd8666a95f00d586549.tar.gz xen-50d1a7fea0a60cd66733cfd8666a95f00d586549.tar.bz2 xen-50d1a7fea0a60cd66733cfd8666a95f00d586549.zip |
x86/physdev: Range check pirq parameter from guests
Otherwise Xen will read beyond either end of the struct
domain.arch.pirq_emuirq array, usually resulting in a fatal page fault.
This vulnerability was introduced by c/s 23241:d21100f1d00e, which adds
a call to domain_pirq_to_emuirq() which uses the guest provided pirq
value before range checking it, and was fixed by c/s 23573:584c2e5e03d9
which changed the behaviour of the domain_pirq_to_emuirq() macro to use
radix trees instead of a flat array.
This is XSA-21 / CVE-2012-4536.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
-rw-r--r-- | xen/arch/x86/physdev.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/xen/arch/x86/physdev.c b/xen/arch/x86/physdev.c index 7d5a0234ef..de364f0c8d 100644 --- a/xen/arch/x86/physdev.c +++ b/xen/arch/x86/physdev.c @@ -234,6 +234,10 @@ static int physdev_unmap_pirq(struct physdev_unmap_pirq *unmap) if ( ret ) return ret; + ret = -EINVAL; + if ( unmap->pirq < 0 || unmap->pirq >= d->nr_pirqs ) + goto free_domain; + if ( is_hvm_domain(d) ) { spin_lock(&d->event_lock); |