diff options
| author | Jan Beulich <jbeulich@suse.com> | 2013-09-30 14:17:46 +0200 |
|---|---|---|
| committer | Jan Beulich <jbeulich@suse.com> | 2013-09-30 14:17:46 +0200 |
| commit | 6bb838e7375f5b031e9ac346b353775c90de45dc (patch) | |
| tree | 9a3a447fa05f3e3462b8c1cbc279aa7229a4ca98 /xen/arch/x86/hvm/io.c | |
| parent | 0a6b415d5212af68249ddf41a20dfc3998c8d670 (diff) | |
| download | xen-6bb838e7375f5b031e9ac346b353775c90de45dc.tar.gz xen-6bb838e7375f5b031e9ac346b353775c90de45dc.tar.bz2 xen-6bb838e7375f5b031e9ac346b353775c90de45dc.zip | |
x86: properly handle hvm_copy_from_guest_{phys,virt}() errors
Ignoring them generally implies using uninitialized data and, in all
but two of the cases dealt with here, potentially leaking hypervisor
stack contents to guests.
This is CVE-2013-4355 / XSA-63.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Diffstat (limited to 'xen/arch/x86/hvm/io.c')
| -rw-r--r-- | xen/arch/x86/hvm/io.c | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/xen/arch/x86/hvm/io.c b/xen/arch/x86/hvm/io.c index 4ae2c0c342..5f5009a179 100644 --- a/xen/arch/x86/hvm/io.c +++ b/xen/arch/x86/hvm/io.c @@ -340,14 +340,24 @@ static int dpci_ioport_write(uint32_t mport, ioreq_t *p) data = p->data; if ( p->data_is_ptr ) { - int ret; - - ret = hvm_copy_from_guest_phys(&data, - p->data + (sign * i * p->size), - p->size); - if ( (ret == HVMCOPY_gfn_paged_out) && - (ret == HVMCOPY_gfn_shared) ) + switch ( hvm_copy_from_guest_phys(&data, + p->data + sign * i * p->size, + p->size) ) + { + case HVMCOPY_okay: + break; + case HVMCOPY_gfn_paged_out: + case HVMCOPY_gfn_shared: return X86EMUL_RETRY; + case HVMCOPY_bad_gfn_to_mfn: + data = ~0; + break; + case HVMCOPY_bad_gva_to_gfn: + ASSERT(0); + /* fall through */ + default: + return X86EMUL_UNHANDLEABLE; + } } switch ( p->size ) |