File CVE-2015-8817-qemuu-OOB-access-in-address_space... of Package xen

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch of Package xen (Revision fe1d1744a8ed7820af5694febca8c8fd)

Currently displaying revision fe1d1744a8ed7820af5694febca8c8fd , Show latest

References: bsc#969125 CVE-2015-8817

Subject: exec: Respect as_translate_internal length clamp
From: Peter Crosthwaite peter.crosthwaite@xilinx.com Mon Mar 16 22:35:54 2015 -0700
Date: Mon Apr 27 18:24:19 2015 +0200:
Git: 23820dbfc79d1c9dce090b4c555994f2bb6a69b3

address_space_translate_internal will clamp the *plen length argument
based on the size of the memory region being queried. The iommu walker
logic in addresss_space_translate was ignoring this by discarding the
post fn call value of *plen. Fix by just always using *plen as the
length argument throughout the fn, removing the len local variable.

This fixes a bootloader bug when a single elf section spans multiple
QEMU memory regions.

Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Message-Id: <1426570554-15940-1-git-send-email-peter.crosthwaite@xilinx.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Index: xen-4.4.4-testing/tools/qemu-xen-dir-remote/exec.c
===================================================================
--- xen-4.4.4-testing.orig/tools/qemu-xen-dir-remote/exec.c
+++ xen-4.4.4-testing/tools/qemu-xen-dir-remote/exec.c
@@ -267,6 +267,18 @@ address_space_translate_internal(Address
     return section;
 }
 
+static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write)
+{
+    if (memory_region_is_ram(mr)) {
+        return !(is_write && mr->readonly);
+    }
+    if (memory_region_is_romd(mr)) {
+        return !is_write;
+    }
+
+    return false;
+}
+
 MemoryRegion *address_space_translate(AddressSpace *as, hwaddr addr,
                                       hwaddr *xlat, hwaddr *plen,
                                       bool is_write)
@@ -274,10 +286,9 @@ MemoryRegion *address_space_translate(Ad
     IOMMUTLBEntry iotlb;
     MemoryRegionSection *section;
     MemoryRegion *mr;
-    hwaddr len = *plen;
 
     for (;;) {
-        section = address_space_translate_internal(as->dispatch, addr, &addr, &len, true);
+        section = address_space_translate_internal(as->dispatch, addr, &addr, plen, true);
         mr = section->mr;
 
         if (!mr->iommu_ops) {
@@ -287,7 +298,7 @@ MemoryRegion *address_space_translate(Ad
         iotlb = mr->iommu_ops->translate(mr, addr);
         addr = ((iotlb.translated_addr & ~iotlb.addr_mask)
                 | (addr & iotlb.addr_mask));
-        len = MIN(len, (addr | iotlb.addr_mask) - addr + 1);
+        *plen = MIN(*plen, (addr | iotlb.addr_mask) - addr + 1);
         if (!(iotlb.perm & (1 << is_write))) {
             mr = &io_mem_unassigned;
             break;
@@ -296,7 +307,11 @@ MemoryRegion *address_space_translate(Ad
         as = iotlb.target_as;
     }
 
-    *plen = len;
+    if (xen_enabled() && memory_access_is_direct(mr, is_write)) {
+        hwaddr page = ((addr & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE) - addr;
+        *plen = MIN(page, *plen);
+    }
+
     *xlat = addr;
     return mr;
 }
@@ -1900,18 +1915,6 @@ static void invalidate_and_set_dirty(hwa
     xen_modified_memory(addr, length);
 }
 
-static inline bool memory_access_is_direct(MemoryRegion *mr, bool is_write)
-{
-    if (memory_region_is_ram(mr)) {
-        return !(is_write && mr->readonly);
-    }
-    if (memory_region_is_romd(mr)) {
-        return !is_write;
-    }
-
-    return false;
-}
-
 static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr)
 {
     unsigned access_size_max = mr->ops->valid.max_access_size;

Places

File CVE-2015-8817-qemuu-OOB-access-in-address_space_rw-leads-to-segmentation-fault.patch of Package xen (Revision fe1d1744a8ed7820af5694febca8c8fd)

Places