xen/gnttab: Validate input to GNTTABOP_swap_grant_ref

xen-unstable c/s 24548:d115844ebfbb introduces a new GNTTABOP to swap
grant refs.  However, it fails to validate the two refs passed from
the guest.

The result is that passing out-of-range refs can cause Xen to read
past the end of the grant_table->active[] array, and deference
whatever it finds.  Typically, this results in Xen trying to deference
a low pointer and fail with a page-fault.

As this hypercall can be issued by an unprivileged guest, this is a
Denial of Service against Xen.  This is XSA-18 / CVE-2012-3516.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Paul Durrant <paul.durrant@citrix.com>

0 files changed, 0 insertions, 0 deletions