diff options
author | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-11-14 11:46:12 +0000 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-11-14 11:46:12 +0000 |
commit | 95a0c10357c502a0b0b960e7133e792695ef0b58 (patch) | |
tree | 8aa00758b75a1895f798fd50ddd6de1ff20f610e | |
parent | 1d435032de14b9dec808102940309047903f7ed0 (diff) | |
download | xen-95a0c10357c502a0b0b960e7133e792695ef0b58.tar.gz xen-95a0c10357c502a0b0b960e7133e792695ef0b58.tar.bz2 xen-95a0c10357c502a0b0b960e7133e792695ef0b58.zip |
compat/gnttab: Prevent infinite loop in compat code
c/s 20281:95ea2052b41b, which introduces Grant Table version 2
hypercalls introduces a vulnerability whereby the compat hypercall
handler can fall into an infinite loop.
If the watchdog is enabled, Xen will die after the timeout.
This is a security problem, XSA-24 / CVE-2012-4539.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
xen-unstable changeset: 26151:b64a7d868f06
Backport-requested-by: security@xen.org
Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
-rw-r--r-- | xen/common/compat/grant_table.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/xen/common/compat/grant_table.c b/xen/common/compat/grant_table.c index ca60395f0a..d09a65b615 100644 --- a/xen/common/compat/grant_table.c +++ b/xen/common/compat/grant_table.c @@ -310,6 +310,8 @@ int compat_grant_table_op(unsigned int cmd, #undef XLAT_gnttab_get_status_frames_HNDL_frame_list if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) ) rc = -EFAULT; + else + i = 1; } break; } |