Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
xen.6641
xsa212.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa212.patch of Package xen.6641
memory: properly check guest memory ranges in XENMEM_exchange handling The use of guest_handle_okay() here (as introduced by the XSA-29 fix) is insufficient here, guest_handle_subrange_okay() needs to be used instead. Note that the uses are okay in - XENMEM_add_to_physmap_batch handling due to the size field being only 16 bits wide, - livepatch_list() due to the limit of 1024 enforced on the number-of-entries input (leaving aside the fact that this can be called by a privileged domain only anyway), - compat mode handling due to counts there being limited to 32 bits, - everywhere else due to guest arrays being accessed sequentially from index zero. This is XSA-212. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Index: xen-4.7.2-testing/xen/common/memory.c =================================================================== --- xen-4.7.2-testing.orig/xen/common/memory.c +++ xen-4.7.2-testing/xen/common/memory.c @@ -415,8 +415,8 @@ static long memory_exchange(XEN_GUEST_HA goto fail_early; } - if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || - !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) + if ( !guest_handle_subrange_okay(exch.in.extent_start, exch.nr_exchanged, + exch.in.nr_extents - 1) ) { rc = -EFAULT; goto fail_early; @@ -426,11 +426,27 @@ static long memory_exchange(XEN_GUEST_HA { in_chunk_order = exch.out.extent_order - exch.in.extent_order; out_chunk_order = 0; + + if ( !guest_handle_subrange_okay(exch.out.extent_start, + exch.nr_exchanged >> in_chunk_order, + exch.out.nr_extents - 1) ) + { + rc = -EFAULT; + goto fail_early; + } } else { in_chunk_order = 0; out_chunk_order = exch.in.extent_order - exch.out.extent_order; + + if ( !guest_handle_subrange_okay(exch.out.extent_start, + exch.nr_exchanged << out_chunk_order, + exch.out.nr_extents - 1) ) + { + rc = -EFAULT; + goto fail_early; + } } d = rcu_lock_domain_by_any_id(exch.in.domid); Index: xen-4.7.2-testing/xen/include/asm-x86/x86_64/uaccess.h =================================================================== --- xen-4.7.2-testing.orig/xen/include/asm-x86/x86_64/uaccess.h +++ xen-4.7.2-testing/xen/include/asm-x86/x86_64/uaccess.h @@ -29,8 +29,9 @@ extern void *xlat_malloc(unsigned long * /* * Valid if in +ve half of 48-bit address space, or above Xen-reserved area. * This is also valid for range checks (addr, addr+size). As long as the - * start address is outside the Xen-reserved area then we will access a - * non-canonical address (and thus fault) before ever reaching VIRT_START. + * start address is outside the Xen-reserved area, sequential accesses + * (starting at addr) will hit a non-canonical address (and thus fault) + * before ever reaching VIRT_START. */ #define __addr_ok(addr) \ (((unsigned long)(addr) < (1UL<<47)) || \ @@ -40,7 +41,8 @@ extern void *xlat_malloc(unsigned long * (__addr_ok(addr) || is_compat_arg_xlat_range(addr, size)) #define array_access_ok(addr, count, size) \ - (access_ok(addr, (count)*(size))) + (likely(((count) ?: 0UL) < (~0UL / (size))) && \ + access_ok(addr, (count) * (size))) #define __compat_addr_ok(d, addr) \ ((unsigned long)(addr) < HYPERVISOR_COMPAT_VIRT_START(d))
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor