diff options
| author | Jan Beulich <jbeulich@suse.com> | 2012-12-06 14:20:15 +0100 |
|---|---|---|
| committer | Jan Beulich <jbeulich@suse.com> | 2012-12-06 14:20:15 +0100 |
| commit | 519b2f205a6e85927816b66e1096d6802ee47f1b (patch) | |
| tree | 9c050cb3dad6ad5d7051fe8459ad004acd8e7964 /xen/common/compat | |
| parent | 8e4addea279da7430d80514828f49013979117e6 (diff) | |
| download | xen-519b2f205a6e85927816b66e1096d6802ee47f1b.tar.gz xen-519b2f205a6e85927816b66e1096d6802ee47f1b.tar.bz2 xen-519b2f205a6e85927816b66e1096d6802ee47f1b.zip | |
tighten guest memory accesses
Failure should always be detected and handled.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'xen/common/compat')
| -rw-r--r-- | xen/common/compat/grant_table.c | 8 | ||||
| -rw-r--r-- | xen/common/compat/memory.c | 13 |
2 files changed, 16 insertions, 5 deletions
diff --git a/xen/common/compat/grant_table.c b/xen/common/compat/grant_table.c index a6e8814770..38f3b37c9b 100644 --- a/xen/common/compat/grant_table.c +++ b/xen/common/compat/grant_table.c @@ -173,7 +173,9 @@ int compat_grant_table_op(unsigned int cmd, for ( i = 0; i < (_s_)->nr_frames; ++i ) \ { \ unsigned int frame = (_s_)->frame_list.p[i]; \ - (void)__copy_to_compat_offset((_d_)->frame_list, i, &frame, 1); \ + if ( __copy_to_compat_offset((_d_)->frame_list, \ + i, &frame, 1) ) \ + (_s_)->status = GNTST_bad_virt_addr; \ } \ } \ } while (0) @@ -310,7 +312,9 @@ int compat_grant_table_op(unsigned int cmd, for ( i = 0; i < (_s_)->nr_frames; ++i ) \ { \ uint64_t frame = (_s_)->frame_list.p[i]; \ - (void)__copy_to_compat_offset((_d_)->frame_list, i, &frame, 1); \ + if ( __copy_to_compat_offset((_d_)->frame_list, \ + i, &frame, 1) ) \ + (_s_)->status = GNTST_bad_virt_addr; \ } \ } \ } while (0) diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c index a49f51b7fb..9e0192590d 100644 --- a/xen/common/compat/memory.c +++ b/xen/common/compat/memory.c @@ -283,18 +283,25 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat) compat_pfn_t pfn = nat.xchg->out.extent_start.p[start_extent]; BUG_ON(pfn != nat.xchg->out.extent_start.p[start_extent]); - /* Note that we ignore errors accessing the output extent list. */ - __copy_to_compat_offset(cmp.xchg.out.extent_start, start_extent, &pfn, 1); + if ( __copy_to_compat_offset(cmp.xchg.out.extent_start, + start_extent, &pfn, 1) ) + { + rc = -EFAULT; + break; + } } cmp.xchg.nr_exchanged = nat.xchg->nr_exchanged; if ( copy_field_to_guest(guest_handle_cast(compat, compat_memory_exchange_t), &cmp.xchg, nr_exchanged) ) + rc = -EFAULT; + + if ( rc < 0 ) { if ( split < 0 ) /* Cannot cancel the continuation... */ domain_crash(current->domain); - return -EFAULT; + return rc; } break; } |