diff options
| author | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-09-05 12:30:26 +0100 |
|---|---|---|
| committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-09-05 12:30:26 +0100 |
| commit | 4b9e508290c67b1f13bc0f6e059d23ba738995ce (patch) | |
| tree | 1778ca9fa5111efbb4a54ddc26a978239a5b8553 | |
| parent | 76ea16276c15d89c3b1d67a58e55fa11cf42a1d7 (diff) | |
| download | xen-4b9e508290c67b1f13bc0f6e059d23ba738995ce.tar.gz xen-4b9e508290c67b1f13bc0f6e059d23ba738995ce.tar.bz2 xen-4b9e508290c67b1f13bc0f6e059d23ba738995ce.zip | |
xen/gnttab: Validate input to GNTTABOP_swap_grant_ref
xen-unstable c/s 24548:d115844ebfbb introduces a new GNTTABOP to swap
grant refs. However, it fails to validate the two refs passed from
the guest.
The result is that passing out-of-range refs can cause Xen to read
past the end of the grant_table->active[] array, and deference
whatever it finds. Typically, this results in Xen trying to deference
a low pointer and fail with a page-fault.
As this hypercall can be issued by an unprivileged guest, this is a
Denial of Service against Xen. This is XSA-18 / CVE-2012-3516.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Paul Durrant <paul.durrant@citrix.com>
| -rw-r--r-- | xen/common/grant_table.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 20fee66ef8..a9864d7db7 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -2339,6 +2339,12 @@ __gnttab_swap_grant_ref(grant_ref_t ref_a, grant_ref_t ref_b) spin_lock(>->lock); + /* Bounds check on the grant refs */ + if ( unlikely(ref_a >= nr_grant_entries(d->grant_table))) + PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a); + if ( unlikely(ref_b >= nr_grant_entries(d->grant_table))) + PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-b (%d).\n", ref_b); + act = &active_entry(gt, ref_a); if ( act->pin ) PIN_FAIL(out, GNTST_eagain, "ref a %ld busy\n", (long)ref_a); |