aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Daley <mattjd@gmail.com>2013-10-10 15:24:15 +0200
committerJan Beulich <jbeulich@suse.com>2013-10-10 15:24:15 +0200
commit0a3b0fb38ee4cf4eadfb108534acf5ac4665633a (patch)
treea016f6377483715f960c09ff6ffcc1f18d1c9b5b
parent09962956f799de2a0f5d6589d52ed7755eaf6ac3 (diff)
downloadxen-0a3b0fb38ee4cf4eadfb108534acf5ac4665633a.tar.gz
xen-0a3b0fb38ee4cf4eadfb108534acf5ac4665633a.tar.bz2
xen-0a3b0fb38ee4cf4eadfb108534acf5ac4665633a.zip
x86: check segment descriptor read result in 64-bit OUTS emulation
When emulating such an operation from a 64-bit context (CS has long mode set), and the data segment is overridden to FS/GS, the result of reading the overridden segment's descriptor (read_descriptor) is not checked. If it fails, data_base is left uninitialized. This can lead to 8 bytes of Xen's stack being leaked to the guest (implicitly, i.e. via the address given in a #PF). Coverity-ID: 1055116 This is CVE-2013-4368 / XSA-67. Signed-off-by: Matthew Daley <mattjd@gmail.com> Fix formatting. Signed-off-by: Jan Beulich <jbeulich@suse.com> master commit: 0771faba163769089c9f05f7f76b63e397677613 master date: 2013-10-10 15:19:53 +0200
Diffstat
-rw-r--r--xen/arch/x86/traps.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index dfe3da9e6e..2fc992766f 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -2063,10 +2063,10 @@ static int emulate_privileged_op(struct cpu_user_regs *regs)
break;
}
}
- else
- read_descriptor(data_sel, v, regs,
- &data_base, &data_limit, &ar,
- 0);
+ else if ( !read_descriptor(data_sel, v, regs,
+ &data_base, &data_limit, &ar, 0) ||
+ !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) )
+ goto fail;
data_limit = ~0UL;
ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-17 08:54:30 +0000