diff options
author | Jan Beulich <jbeulich@suse.com> | 2012-12-04 18:49:53 +0000 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2012-12-04 18:49:53 +0000 |
commit | 358ee1ae1b89e586721ca442bcab708dd4b7922d (patch) | |
tree | edfe96d26eb7626599e1d4bd8ed92b6792d6ed4a | |
parent | 18c40b58752701b7a08e8394aa614cd4f6e21707 (diff) | |
download | xen-358ee1ae1b89e586721ca442bcab708dd4b7922d.tar.gz xen-358ee1ae1b89e586721ca442bcab708dd4b7922d.tar.bz2 xen-358ee1ae1b89e586721ca442bcab708dd4b7922d.zip |
x86/HVM: range check xen_hvm_set_mem_access.hvmmem_access before use
Otherwise an out of bounds array access can happen if changing the
default access is being requested, which - if it doesn't crash Xen -
would subsequently allow reading arbitrary memory through
HVMOP_get_mem_access (again, unless that operation crashes Xen).
This is XSA-28 / CVE-2012-5512.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>
-rw-r--r-- | xen/arch/x86/hvm/hvm.c | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index 98f139141c..9f53728707 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -3728,7 +3728,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg) return rc; rc = -EINVAL; - if ( !is_hvm_domain(d) ) + if ( !is_hvm_domain(d) || a.hvmmem_access >= ARRAY_SIZE(memaccess) ) goto param_fail5; p2m = p2m_get_hostp2m(d); @@ -3748,9 +3748,6 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg) ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) ) goto param_fail5; - if ( a.hvmmem_access >= ARRAY_SIZE(memaccess) ) - goto param_fail5; - for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ ) { p2m_type_t t; |