diff options
author | Jan Beulich <jbeulich@suse.com> | 2012-06-18 17:02:01 +0200 |
---|---|---|
committer | Jan Beulich <jbeulich@suse.com> | 2012-06-18 17:02:01 +0200 |
commit | 73db9f65daca15a4f052d19738d5a1947cc503bd (patch) | |
tree | bda3ff3c93359836def879669cfda066d087e043 /xen/arch/x86/traps.c | |
parent | 5f4acea2cec04e8e756ad3ab9291df098b4fb550 (diff) | |
download | xen-73db9f65daca15a4f052d19738d5a1947cc503bd.tar.gz xen-73db9f65daca15a4f052d19738d5a1947cc503bd.tar.bz2 xen-73db9f65daca15a4f052d19738d5a1947cc503bd.zip |
x86-64: don't allow non-canonical addresses to be set for any callback
Rather than deferring the detection of these to the point where they
get actually used (the fix for XSA-7, 25480:76eaf5966c05, causing a #GP
to be raised by IRET, which invokes the guest's [fragile] fail-safe
callback), don't even allow such to be set.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'xen/arch/x86/traps.c')
-rw-r--r-- | xen/arch/x86/traps.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c index d4fdf64e1d..2264583f14 100644 --- a/xen/arch/x86/traps.c +++ b/xen/arch/x86/traps.c @@ -3581,6 +3581,9 @@ long register_guest_nmi_callback(unsigned long address) struct domain *d = v->domain; struct trap_info *t = &v->arch.pv_vcpu.trap_ctxt[TRAP_nmi]; + if ( !is_canonical_address(address) ) + return -EINVAL; + t->vector = TRAP_nmi; t->flags = 0; t->cs = (is_pv_32on64_domain(d) ? @@ -3708,6 +3711,9 @@ long do_set_trap_table(XEN_GUEST_HANDLE(const_trap_info_t) traps) if ( cur.address == 0 ) break; + if ( !is_canonical_address(cur.address) ) + return -EINVAL; + fixup_guest_code_selector(curr->domain, cur.cs); memcpy(&dst[cur.vector], &cur, sizeof(cur)); |