diff options
author | Jan Beulich <jbeulich@suse.com> | 2012-06-18 17:02:01 +0200 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2012-06-18 17:02:01 +0200 |
commit | 73db9f65daca15a4f052d19738d5a1947cc503bd (patch) | |
tree | bda3ff3c93359836def879669cfda066d087e043 /xen/arch/x86/domain.c | |
parent | 5f4acea2cec04e8e756ad3ab9291df098b4fb550 (diff) | |
download | xen-73db9f65daca15a4f052d19738d5a1947cc503bd.tar.gz xen-73db9f65daca15a4f052d19738d5a1947cc503bd.tar.bz2 xen-73db9f65daca15a4f052d19738d5a1947cc503bd.zip |
x86-64: don't allow non-canonical addresses to be set for any callback
Rather than deferring the detection of these to the point where they
get actually used (the fix for XSA-7, 25480:76eaf5966c05, causing a #GP
to be raised by IRET, which invokes the guest's [fragile] fail-safe
callback), don't even allow such to be set.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'xen/arch/x86/domain.c')
-rw-r--r-- | xen/arch/x86/domain.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index ac3b6b8b5b..5bba4b9f5c 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -736,6 +736,14 @@ int arch_set_info_guest( { if ( !compat ) { +#ifdef __x86_64__ + if ( !is_canonical_address(c.nat->user_regs.eip) || + !is_canonical_address(c.nat->event_callback_eip) || + !is_canonical_address(c.nat->syscall_callback_eip) || + !is_canonical_address(c.nat->failsafe_callback_eip) ) + return -EINVAL; +#endif + fixup_guest_stack_selector(d, c.nat->user_regs.ss); fixup_guest_stack_selector(d, c.nat->kernel_ss); fixup_guest_code_selector(d, c.nat->user_regs.cs); @@ -745,7 +753,11 @@ int arch_set_info_guest( #endif for ( i = 0; i < 256; i++ ) + { + if ( !is_canonical_address(c.nat->trap_ctxt[i].address) ) + return -EINVAL; fixup_guest_code_selector(d, c.nat->trap_ctxt[i].cs); + } /* LDT safety checks. */ if ( ((c.nat->ldt_base & (PAGE_SIZE-1)) != 0) || |