diff options
author | Ian Jackson <ian.jackson@eu.citrix.com> | 2013-06-14 16:39:38 +0100 |
---|---|---|
committer | Ian Jackson <Ian.Jackson@eu.citrix.com> | 2013-06-14 16:39:38 +0100 |
commit | de7911eaef98b6643d80e4612fe4dcd4528d15b9 (patch) | |
tree | f4fcede7e6961cd09c0150c921c9595287302ce0 /tools/libxc | |
parent | 3d5a1d4733e55e33521cd5004cab1313e5c5d5ff (diff) | |
download | xen-de7911eaef98b6643d80e4612fe4dcd4528d15b9.tar.gz xen-de7911eaef98b6643d80e4612fe4dcd4528d15b9.tar.bz2 xen-de7911eaef98b6643d80e4612fe4dcd4528d15b9.zip |
libxc: range checks in xc_dom_p2m_host and _guest
These functions take guest pfns and look them up in the p2m. They did
no range checking.
However, some callers, notably xc_dom_boot.c:setup_hypercall_page want
to pass untrusted guest-supplied value(s). It is most convenient to
detect this here and return INVALID_MFN.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Tim Deegan <tim@xen.org>
Reviewed-by: George Dunlap <george.dunlap@eu.citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Chuck Anderson <chuck.anderson@oracle.com>
v6: Check for underflow too (thanks to Andrew Cooper).
Diffstat (limited to 'tools/libxc')
-rw-r--r-- | tools/libxc/xc_dom.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h index 5968e7bc2c..86e23eea9c 100644 --- a/tools/libxc/xc_dom.h +++ b/tools/libxc/xc_dom.h @@ -342,6 +342,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct xc_dom_image *dom, xen_pfn_t pfn) { if (dom->shadow_enabled) return pfn; + if (pfn < dom->rambase_pfn || pfn >= dom->rambase_pfn + dom->total_pages) + return INVALID_MFN; return dom->p2m_host[pfn - dom->rambase_pfn]; } @@ -350,6 +352,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct xc_dom_image *dom, { if (xc_dom_feature_translated(dom)) return pfn; + if (pfn < dom->rambase_pfn || pfn >= dom->rambase_pfn + dom->total_pages) + return INVALID_MFN; return dom->p2m_host[pfn - dom->rambase_pfn]; } |