Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
xen
CVE-2015-8817-qemuu-OOB-access-in-address_space...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch of Package xen
References: bsc#969125 CVE-2015-8817 Subject: exec: Respect as_translate_internal length clamp From: Peter Crosthwaite peter.crosthwaite@xilinx.com Mon Mar 16 22:35:54 2015 -0700 Date: Mon Apr 27 18:24:19 2015 +0200: Git: 23820dbfc79d1c9dce090b4c555994f2bb6a69b3 address_space_translate_internal will clamp the *plen length argument based on the size of the memory region being queried. The iommu walker logic in addresss_space_translate was ignoring this by discarding the post fn call value of *plen. Fix by just always using *plen as the length argument throughout the fn, removing the len local variable. This fixes a bootloader bug when a single elf section spans multiple QEMU memory regions. Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Message-Id: <1426570554-15940-1-git-send-email-peter.crosthwaite@xilinx.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/exec.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/exec.c +++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/exec.c @@ -267,6 +267,18 @@ address_space_translate_internal(Address return section; } +static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write) +{ + if (memory_region_is_ram(mr)) { + return !(is_write && mr->readonly); + } + if (memory_region_is_romd(mr)) { + return !is_write; + } + + return false; +} + MemoryRegion *address_space_translate(AddressSpace *as, hwaddr addr, hwaddr *xlat, hwaddr *plen, bool is_write) @@ -274,10 +286,9 @@ MemoryRegion *address_space_translate(Ad IOMMUTLBEntry iotlb; MemoryRegionSection *section; MemoryRegion *mr; - hwaddr len = *plen; for (;;) { - section = address_space_translate_internal(as->dispatch, addr, &addr, &len, true); + section = address_space_translate_internal(as->dispatch, addr, &addr, plen, true); mr = section->mr; if (!mr->iommu_ops) { @@ -287,7 +298,7 @@ MemoryRegion *address_space_translate(Ad iotlb = mr->iommu_ops->translate(mr, addr); addr = ((iotlb.translated_addr & ~iotlb.addr_mask) | (addr & iotlb.addr_mask)); - len = MIN(len, (addr | iotlb.addr_mask) - addr + 1); + *plen = MIN(*plen, (addr | iotlb.addr_mask) - addr + 1); if (!(iotlb.perm & (1 << is_write))) { mr = &io_mem_unassigned; break; @@ -296,7 +307,11 @@ MemoryRegion *address_space_translate(Ad as = iotlb.target_as; } - *plen = len; + if (xen_enabled() && memory_access_is_direct(mr, is_write)) { + hwaddr page = ((addr & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE) - addr; + *plen = MIN(page, *plen); + } + *xlat = addr; return mr; } @@ -1900,18 +1915,6 @@ static void invalidate_and_set_dirty(hwa xen_modified_memory(addr, length); } -static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write) -{ - if (memory_region_is_ram(mr)) { - return !(is_write && mr->readonly); - } - if (memory_region_is_romd(mr)) { - return !is_write; - } - - return false; -} - static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr) { unsigned access_size_max = mr->ops->valid.max_access_size;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor