diff options
| author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-14 16:43:19 +0100 |
|---|---|---|
| committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:43:19 +0100 |
| commit | 052a689aa526ca51fd70528d4b0f83dfb2de99c1 (patch) | |
| tree | cd90aaf8b7cea6212b2cb118698176f819e3786d | |
| parent | 8dc90d163650ce8aa36ae0b46debab83cc61edb6 (diff) | |
| download | xen-052a689aa526ca51fd70528d4b0f83dfb2de99c1.tar.gz xen-052a689aa526ca51fd70528d4b0f83dfb2de99c1.tar.bz2 xen-052a689aa526ca51fd70528d4b0f83dfb2de99c1.zip | |
libxc: range checks in xc_dom_p2m_host and _guest
These functions take guest pfns and look them up in the p2m. They did
no range checking.
However, some callers, notably xc_dom_boot.c:setup_hypercall_page want
to pass untrusted guest-supplied value(s). It is most convenient to
detect this here and return INVALID_MFN.
This is part of the fix to a security issue, XSA-55.
Changes from Xen 4.2 version of this patch:
* 4.2 lacks dom->rambase_pfn, so don't add/subtract/check it.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
| -rw-r--r-- | tools/libxc/xc_dom.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h index 0161459489..d801f66072 100644 --- a/tools/libxc/xc_dom.h +++ b/tools/libxc/xc_dom.h @@ -331,6 +331,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct xc_dom_image *dom, xen_pfn_t pfn) { if (dom->shadow_enabled) return pfn; + if (pfn >= dom->total_pages) + return INVALID_MFN; return dom->p2m_host[pfn]; } @@ -339,6 +341,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct xc_dom_image *dom, { if (xc_dom_feature_translated(dom)) return pfn; + if (pfn >= dom->total_pages) + return INVALID_MFN; return dom->p2m_host[pfn]; } |