x86-64: don't allow non-canonical addresses to be set for any callback

Rather than deferring the detection of these to the point where they get actually used (the fix for XSA-7, 25480:76eaf5966c05, causing a #GP to be raised by IRET, which invokes the guest's [fragile] fail-safe callback), don't even allow such to be set. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Keir Fraser <keir@xen.org>
author: Jan Beulich <jbeulich@suse.com> 2012-06-18 17:02:01 +0200
committer: Jan Beulich <jbeulich@suse.com> 2012-06-18 17:02:01 +0200
commit: 73db9f65daca15a4f052d19738d5a1947cc503bd (patch)
tree: bda3ff3c93359836def879669cfda066d087e043 /xen/arch/x86/domain.c
parent: 5f4acea2cec04e8e756ad3ab9291df098b4fb550 (diff)
download: xen-73db9f65daca15a4f052d19738d5a1947cc503bd.tar.gz
xen-73db9f65daca15a4f052d19738d5a1947cc503bd.tar.bz2
xen-73db9f65daca15a4f052d19738d5a1947cc503bd.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index ac3b6b8b5b..5bba4b9f5c 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -736,6 +736,14 @@ int arch_set_info_guest(
     {
         if ( !compat )
         {
+#ifdef __x86_64__
+            if ( !is_canonical_address(c.nat->user_regs.eip) ||
+                 !is_canonical_address(c.nat->event_callback_eip) ||
+                 !is_canonical_address(c.nat->syscall_callback_eip) ||
+                 !is_canonical_address(c.nat->failsafe_callback_eip) )
+                return -EINVAL;
+#endif
+
             fixup_guest_stack_selector(d, c.nat->user_regs.ss);
             fixup_guest_stack_selector(d, c.nat->kernel_ss);
             fixup_guest_code_selector(d, c.nat->user_regs.cs);
@@ -745,7 +753,11 @@ int arch_set_info_guest(
 #endif
 
             for ( i = 0; i < 256; i++ )
+            {
+                if ( !is_canonical_address(c.nat->trap_ctxt[i].address) )
+                    return -EINVAL;
                 fixup_guest_code_selector(d, c.nat->trap_ctxt[i].cs);
+            }
 
             /* LDT safety checks. */
             if ( ((c.nat->ldt_base & (PAGE_SIZE-1)) != 0) ||
author	Jan Beulich <jbeulich@suse.com>	2012-06-18 17:02:01 +0200
committer	Jan Beulich <jbeulich@suse.com>	2012-06-18 17:02:01 +0200
commit	73db9f65daca15a4f052d19738d5a1947cc503bd (patch)
tree	bda3ff3c93359836def879669cfda066d087e043 /xen/arch/x86/domain.c
parent	5f4acea2cec04e8e756ad3ab9291df098b4fb550 (diff)
download	xen-73db9f65daca15a4f052d19738d5a1947cc503bd.tar.gz xen-73db9f65daca15a4f052d19738d5a1947cc503bd.tar.bz2 xen-73db9f65daca15a4f052d19738d5a1947cc503bd.zip