compat/gnttab: Prevent infinite loop in compat codestaging-4.0 stable-4.0

c/s 20281:95ea2052b41b, which introduces Grant Table version 2 hypercalls introduces a vulnerability whereby the compat hypercall handler can fall into an infinite loop. If the watchdog is enabled, Xen will die after the timeout. This is a security problem, XSA-24 / CVE-2012-4539. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> Committed-by: Ian Jackson <ian.jackson@eu.citrix.com> xen-unstable changeset: 26151:b64a7d868f06 Backport-requested-by: security@xen.org Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
author: Ian Jackson <Ian.Jackson@eu.citrix.com> 2012-11-14 11:46:35 +0000
committer: Ian Jackson <Ian.Jackson@eu.citrix.com> 2012-11-14 11:46:35 +0000
commit: 2692df2a2c6ca3c09ef6c3d064f36e3630ff9bdc (patch)
tree: 34925de43d75543a6e9b18cc50b45230af2ddf4f
parent: e201bce9a19d158ee979ed9a6690cfeede925c1f (diff)
download: xen-stable-4.0.tar.gz
xen-stable-4.0.tar.bz2
xen-stable-4.0.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/xen/common/compat/grant_table.c b/xen/common/compat/grant_table.c
index ca60395f0a..d09a65b615 100644
--- a/xen/common/compat/grant_table.c
+++ b/xen/common/compat/grant_table.c
@@ -310,6 +310,8 @@ int compat_grant_table_op(unsigned int cmd,
 #undef XLAT_gnttab_get_status_frames_HNDL_frame_list
                 if ( unlikely(__copy_to_guest(cmp_uop, &cmp.get_status, 1)) )
                     rc = -EFAULT;
+                else
+                    i = 1;
             }
             break;
         }
author	Ian Jackson <Ian.Jackson@eu.citrix.com>	2012-11-14 11:46:35 +0000
committer	Ian Jackson <Ian.Jackson@eu.citrix.com>	2012-11-14 11:46:35 +0000
commit	2692df2a2c6ca3c09ef6c3d064f36e3630ff9bdc (patch)
tree	34925de43d75543a6e9b18cc50b45230af2ddf4f
parent	e201bce9a19d158ee979ed9a6690cfeede925c1f (diff)
download	xen-stable-4.0.tar.gz xen-stable-4.0.tar.bz2 xen-stable-4.0.zip