diff options
| author | Jan Beulich <jbeulich@suse.com> | 2012-12-04 18:02:44 +0000 |
|---|---|---|
| committer | Jan Beulich <jbeulich@suse.com> | 2012-12-04 18:02:44 +0000 |
| commit | 936c2abaddafb2d0480e86822ec9c281b7dda2e3 (patch) | |
| tree | d7a4a168a807fef529b665315118e1a7647f3284 | |
| parent | 035f1023c47da339b7f710e32c42571326a7b887 (diff) | |
| download | xen-936c2abaddafb2d0480e86822ec9c281b7dda2e3.tar.gz xen-936c2abaddafb2d0480e86822ec9c281b7dda2e3.tar.bz2 xen-936c2abaddafb2d0480e86822ec9c281b7dda2e3.zip | |
xen: add missing guest address range checks to XENMEM_exchange handlers
Ever since its existence (3.0.3 iirc) the handler for this has been
using non address range checking guest memory accessors (i.e.
the ones prefixed with two underscores) without first range
checking the accessed space (via guest_handle_okay()), allowing
a guest to access and overwrite hypervisor memory.
This is XSA-29 / CVE-2012-5513.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
Committed-by: Ian Jackson <ian.jackson.citrix.com>
| -rw-r--r-- | xen/common/compat/memory.c | 6 | ||||
| -rw-r--r-- | xen/common/memory.c | 7 |
2 files changed, 13 insertions, 0 deletions
diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c index e7257cc53e..308017a95f 100644 --- a/xen/common/compat/memory.c +++ b/xen/common/compat/memory.c @@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE(void) compat) (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) return -EINVAL; + if ( !compat_handle_okay(cmp.xchg.in.extent_start, + cmp.xchg.in.nr_extents) || + !compat_handle_okay(cmp.xchg.out.extent_start, + cmp.xchg.out.nr_extents) ) + return -EFAULT; + start_extent = cmp.xchg.nr_exchanged; end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / (((1U << ABS(order_delta)) + 1) * diff --git a/xen/common/memory.c b/xen/common/memory.c index 8779d6bd7d..f67f7a2bed 100644 --- a/xen/common/memory.c +++ b/xen/common/memory.c @@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HANDLE(xen_memory_exchange_t) arg) goto fail_early; } + if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || + !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) + { + rc = -EFAULT; + goto fail_early; + } + /* Only privileged guests can allocate multi-page contiguous extents. */ if ( !multipage_allocation_permitted(current->domain, exch.in.extent_order) || |