diff options
author | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-09-05 12:30:26 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2012-09-05 12:30:26 +0100 |
commit | 4b9e508290c67b1f13bc0f6e059d23ba738995ce (patch) | |
tree | 1778ca9fa5111efbb4a54ddc26a978239a5b8553 /Config.mk | |
parent | 76ea16276c15d89c3b1d67a58e55fa11cf42a1d7 (diff) | |
download | xen-4b9e508290c67b1f13bc0f6e059d23ba738995ce.tar.gz xen-4b9e508290c67b1f13bc0f6e059d23ba738995ce.tar.bz2 xen-4b9e508290c67b1f13bc0f6e059d23ba738995ce.zip |
xen/gnttab: Validate input to GNTTABOP_swap_grant_ref
xen-unstable c/s 24548:d115844ebfbb introduces a new GNTTABOP to swap
grant refs. However, it fails to validate the two refs passed from
the guest.
The result is that passing out-of-range refs can cause Xen to read
past the end of the grant_table->active[] array, and deference
whatever it finds. Typically, this results in Xen trying to deference
a low pointer and fail with a page-fault.
As this hypercall can be issued by an unprivileged guest, this is a
Denial of Service against Xen. This is XSA-18 / CVE-2012-3516.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Paul Durrant <paul.durrant@citrix.com>
Diffstat (limited to 'Config.mk')
0 files changed, 0 insertions, 0 deletions