From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH 21/22] libxc: range checks in
	xc_dom_p2m_host and _guest
Date: Fri, 7 Jun 2013 19:33:48 +0100
Message-ID: <51B2278C.8030507@citrix.com>
References: <1370629642-6990-1-git-send-email-ian.jackson@eu.citrix.com>
	<1370629642-6990-22-git-send-email-ian.jackson@eu.citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1370629642-6990-22-git-send-email-ian.jackson@eu.citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: "xen-devel@lists.xensource.com" <xen-devel@lists.xensource.com>, "mattjd@gmail.com" <mattjd@gmail.com>, "security@xen.org" <security@xen.org>
List-Id: xen-devel@lists.xenproject.org

On 07/06/13 19:27, Ian Jackson wrote:
> These functions take guest pfns and look them up in the p2m.  They did
> no range checking.
>
> However, some callers, notably xc_dom_boot.c:setup_hypercall_page want
> to pass untrusted guest-supplied value(s).  It is most convenient to
> detect this here and return INVALID_MFN.
>
> This is part of the fix to a security issue, XSA-55.
>
> Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>

Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

>
> v6: Check for underflow too (thanks to Andrew Cooper).
> ---
>  tools/libxc/xc_dom.h |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
> index 567913f..2e33ee7 100644
> --- a/tools/libxc/xc_dom.h
> +++ b/tools/libxc/xc_dom.h
> @@ -341,6 +341,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct xc_dom_image *dom, xen_pfn_t pfn)
>  {
>      if (dom->shadow_enabled)
>          return pfn;
> +    if (pfn < dom->rambase_pfn || pfn >= dom->rambase_pfn + dom->total_pages)
> +        return INVALID_MFN;
>      return dom->p2m_host[pfn - dom->rambase_pfn];
>  }
>  
> @@ -349,6 +351,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct xc_dom_image *dom,
>  {
>      if (xc_dom_feature_translated(dom))
>          return pfn;
> +    if (pfn < dom->rambase_pfn || pfn >= dom->rambase_pfn + dom->total_pages)
> +        return INVALID_MFN;
>      return dom->p2m_host[pfn - dom->rambase_pfn];
>  }
>