x86/HVM: range check xen_hvm_set_mem_access.hvmmem_access before use

Otherwise an out of bounds array access can happen if changing the
default access is being requested, which - if it doesn't crash Xen -
would subsequently allow reading arbitrary memory through
HVMOP_get_mem_access (again, unless that operation crashes Xen).

This is XSA-28 / CVE-2012-5512.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Tim Deegan <tim@xen.org>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>

1 files changed, 1 insertions, 4 deletions

diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c
index 98f139141c..9f53728707 100644
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -3728,7 +3728,7 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
             return rc;
 
         rc = -EINVAL;
-        if ( !is_hvm_domain(d) )
+        if ( !is_hvm_domain(d) || a.hvmmem_access >= ARRAY_SIZE(memaccess) )
             goto param_fail5;
 
         p2m = p2m_get_hostp2m(d);
@@ -3748,9 +3748,6 @@ long do_hvm_op(unsigned long op, XEN_GUEST_HANDLE(void) arg)
              ((a.first_pfn + a.nr - 1) > domain_get_maximum_gpfn(d)) )
             goto param_fail5;
             
-        if ( a.hvmmem_access >= ARRAY_SIZE(memaccess) )
-            goto param_fail5;
-
         for ( pfn = a.first_pfn; pfn < a.first_pfn + a.nr; pfn++ )
         {
             p2m_type_t t;