diff options
author | Jan Beulich <jbeulich@suse.com> | 2013-04-05 10:04:03 +0200 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2013-04-05 10:04:03 +0200 |
commit | b10b4af626d95cd432576cad0e2f500769c1e002 (patch) | |
tree | f5e69f4730e92d3c82a68595b9ca11d5d0daae5b | |
parent | f2e4f020204f36485ba8d34da80064f3971e09af (diff) | |
download | xen-b10b4af626d95cd432576cad0e2f500769c1e002.tar.gz xen-b10b4af626d95cd432576cad0e2f500769c1e002.tar.bz2 xen-b10b4af626d95cd432576cad0e2f500769c1e002.zip |
defer event channel bucket pointer store until after XSM checks
Otherwise a dangling pointer can be left, which would cause subsequent
memory corruption as soon as the space got re-allocated for some other
purpose.
This is CVE-2013-1920 / XSA-47.
Reported-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
master commit: 99b9ab0b3e7f0e7e5786116773cb7b746f3fab87
master date: 2013-04-05 09:59:03 +0200
-rw-r--r-- | xen/common/event_channel.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index fee9a7a484..5c7bdb6e62 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -104,7 +104,6 @@ static int get_free_port(struct domain *d) if ( unlikely(chn == NULL) ) return -ENOMEM; memset(chn, 0, EVTCHNS_PER_BUCKET * sizeof(*chn)); - bucket_from_port(d, port) = chn; for ( i = 0; i < EVTCHNS_PER_BUCKET; i++ ) { @@ -117,6 +116,8 @@ static int get_free_port(struct domain *d) } } + bucket_from_port(d, port) = chn; + return port; } |