libxc: Better range check in xc_dom_alloc_segment

If seg->pfn is too large, the arithmetic in the range check might overflow, defeating the range check. This is part of the fix to a security issue, XSA-55. Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
author: Ian Jackson <ian.jackson@eu.citrix.com> 2013-06-14 16:43:19 +0100
committer: Ian Jackson <Ian.Jackson@eu.citrix.com> 2013-06-14 16:43:19 +0100
commit: d21d36e84354c04638b60a739a5f7c3d9f8adaf8 (patch)
tree: 3623b58883ff2009a18200729816dc110392a405
parent: 2a548e22915535ac13694eb38222903bca7245e3 (diff)
download: xen-d21d36e84354c04638b60a739a5f7c3d9f8adaf8.tar.gz
xen-d21d36e84354c04638b60a739a5f7c3d9f8adaf8.tar.bz2
xen-d21d36e84354c04638b60a739a5f7c3d9f8adaf8.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c
index f8d1b08ba8..e79e38d513 100644
--- a/tools/libxc/xc_dom_core.c
+++ b/tools/libxc/xc_dom_core.c
@@ -509,7 +509,8 @@ int xc_dom_alloc_segment(struct xc_dom_image *dom,
     seg->vstart = start;
     seg->pfn = (seg->vstart - dom->parms.virt_base) / page_size;
 
-    if ( pages > dom->total_pages || /* double test avoids overflow probs */
+    if ( pages > dom->total_pages || /* multiple test avoids overflow probs */
+         seg->pfn > dom->total_pages ||
          pages > dom->total_pages - seg->pfn)
     {
         xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY,
author	Ian Jackson <ian.jackson@eu.citrix.com>	2013-06-14 16:43:19 +0100
committer	Ian Jackson <Ian.Jackson@eu.citrix.com>	2013-06-14 16:43:19 +0100
commit	d21d36e84354c04638b60a739a5f7c3d9f8adaf8 (patch)
tree	3623b58883ff2009a18200729816dc110392a405
parent	2a548e22915535ac13694eb38222903bca7245e3 (diff)
download	xen-d21d36e84354c04638b60a739a5f7c3d9f8adaf8.tar.gz xen-d21d36e84354c04638b60a739a5f7c3d9f8adaf8.tar.bz2 xen-d21d36e84354c04638b60a739a5f7c3d9f8adaf8.zip