diff options
author | Matthew Daley <mattjd@gmail.com> | 2013-10-10 15:24:15 +0200 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2013-10-10 15:24:15 +0200 |
commit | 0a3b0fb38ee4cf4eadfb108534acf5ac4665633a (patch) | |
tree | a016f6377483715f960c09ff6ffcc1f18d1c9b5b | |
parent | 09962956f799de2a0f5d6589d52ed7755eaf6ac3 (diff) | |
download | xen-0a3b0fb38ee4cf4eadfb108534acf5ac4665633a.tar.gz xen-0a3b0fb38ee4cf4eadfb108534acf5ac4665633a.tar.bz2 xen-0a3b0fb38ee4cf4eadfb108534acf5ac4665633a.zip |
x86: check segment descriptor read result in 64-bit OUTS emulation
When emulating such an operation from a 64-bit context (CS has long
mode set), and the data segment is overridden to FS/GS, the result of
reading the overridden segment's descriptor (read_descriptor) is not
checked. If it fails, data_base is left uninitialized.
This can lead to 8 bytes of Xen's stack being leaked to the guest
(implicitly, i.e. via the address given in a #PF).
Coverity-ID: 1055116
This is CVE-2013-4368 / XSA-67.
Signed-off-by: Matthew Daley <mattjd@gmail.com>
Fix formatting.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
master commit: 0771faba163769089c9f05f7f76b63e397677613
master date: 2013-10-10 15:19:53 +0200
-rw-r--r-- | xen/arch/x86/traps.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index dfe3da9e6e..2fc992766f 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -2063,10 +2063,10 @@ static int emulate_privileged_op(struct cpu_user_regs *regs) break; } } - else - read_descriptor(data_sel, v, regs, - &data_base, &data_limit, &ar, - 0); + else if ( !read_descriptor(data_sel, v, regs, + &data_base, &data_limit, &ar, 0) || + !(ar & _SEGMENT_S) || !(ar & _SEGMENT_P) ) + goto fail; data_limit = ~0UL; ar = _SEGMENT_WR|_SEGMENT_S|_SEGMENT_DPL|_SEGMENT_P; } |