diff options
| author | Jan Beulich <jbeulich@suse.com> | 2013-09-30 14:17:46 +0200 |
|---|---|---|
| committer | Jan Beulich <jbeulich@suse.com> | 2013-09-30 14:17:46 +0200 |
| commit | 6bb838e7375f5b031e9ac346b353775c90de45dc (patch) | |
| tree | 9a3a447fa05f3e3462b8c1cbc279aa7229a4ca98 /xen/arch/x86/hvm/vmx | |
| parent | 0a6b415d5212af68249ddf41a20dfc3998c8d670 (diff) | |
| download | xen-6bb838e7375f5b031e9ac346b353775c90de45dc.tar.gz xen-6bb838e7375f5b031e9ac346b353775c90de45dc.tar.bz2 xen-6bb838e7375f5b031e9ac346b353775c90de45dc.zip | |
x86: properly handle hvm_copy_from_guest_{phys,virt}() errors
Ignoring them generally implies using uninitialized data and, in all
but two of the cases dealt with here, potentially leaking hypervisor
stack contents to guests.
This is CVE-2013-4355 / XSA-63.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Diffstat (limited to 'xen/arch/x86/hvm/vmx')
| -rw-r--r-- | xen/arch/x86/hvm/vmx/realmode.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/xen/arch/x86/hvm/vmx/realmode.c b/xen/arch/x86/hvm/vmx/realmode.c index 2e12e24192..45066b270b 100644 --- a/xen/arch/x86/hvm/vmx/realmode.c +++ b/xen/arch/x86/hvm/vmx/realmode.c @@ -39,7 +39,9 @@ static void realmode_deliver_exception( again: last_byte = (vector * 4) + 3; - if ( idtr->limit < last_byte ) + if ( idtr->limit < last_byte || + hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4) != + HVMCOPY_okay ) { /* Software interrupt? */ if ( insn_len != 0 ) @@ -64,8 +66,6 @@ static void realmode_deliver_exception( } } - (void)hvm_copy_from_guest_phys(&cs_eip, idtr->base + vector * 4, 4); - frame[0] = regs->eip + insn_len; frame[1] = csr->sel; frame[2] = regs->eflags & ~X86_EFLAGS_RF; |