From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Jackson Subject: [PATCH 21/22] libxc: range checks in xc_dom_p2m_host and _guest Date: Tue, 11 Jun 2013 19:21:04 +0100 Message-ID: <1370974865-19554-22-git-send-email-ian.jackson@eu.citrix.com> References: <1370974865-19554-1-git-send-email-ian.jackson@eu.citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1370974865-19554-1-git-send-email-ian.jackson@eu.citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xensource.com Cc: andrew.cooper3@citrix.com, Tim Deegan , mattjd@gmail.com, Ian Jackson , security@xen.org List-Id: xen-devel@lists.xenproject.org These functions take guest pfns and look them up in the p2m. They did no range checking. However, some callers, notably xc_dom_boot.c:setup_hypercall_page want to pass untrusted guest-supplied value(s). It is most convenient to detect this here and return INVALID_MFN. This is part of the fix to a security issue, XSA-55. Signed-off-by: Ian Jackson Cc: Tim Deegan v6: Check for underflow too (thanks to Andrew Cooper). --- tools/libxc/xc_dom.h | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h index 5968e7b..86e23ee 100644 --- a/tools/libxc/xc_dom.h +++ b/tools/libxc/xc_dom.h @@ -342,6 +342,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct xc_dom_image *dom, xen_pfn_t pfn) { if (dom->shadow_enabled) return pfn; + if (pfn < dom->rambase_pfn || pfn >= dom->rambase_pfn + dom->total_pages) + return INVALID_MFN; return dom->p2m_host[pfn - dom->rambase_pfn]; } @@ -350,6 +352,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct xc_dom_image *dom, { if (xc_dom_feature_translated(dom)) return pfn; + if (pfn < dom->rambase_pfn || pfn >= dom->rambase_pfn + dom->total_pages) + return INVALID_MFN; return dom->p2m_host[pfn - dom->rambase_pfn]; } -- 1.7.2.5