From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Juergen Gross <jgross@suse.com>
Subject: [PATCH 5.0 097/117] xen: Prevent buffer overflow in privcmd ioctl
Date: Mon, 15 Apr 2019 21:01:07 +0200 [thread overview]
Message-ID: <20190415183749.748211194@linuxfoundation.org> (raw)
In-Reply-To: <20190415183744.887851196@linuxfoundation.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 42d8644bd77dd2d747e004e367cb0c895a606f39 upstream.
The "call" variable comes from the user in privcmd_ioctl_hypercall().
It's an offset into the hypercall_page[] which has (PAGE_SIZE / 32)
elements. We need to put an upper bound on it to prevent an out of
bounds access.
Cc: stable@vger.kernel.org
Fixes: 1246ae0bb992 ("xen: add variable hypercall caller")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/xen/hypercall.h | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/include/asm/xen/hypercall.h
+++ b/arch/x86/include/asm/xen/hypercall.h
@@ -206,6 +206,9 @@ xen_single_call(unsigned int call,
__HYPERCALL_DECLS;
__HYPERCALL_5ARG(a1, a2, a3, a4, a5);
+ if (call >= PAGE_SIZE / sizeof(hypercall_page[0]))
+ return -EINVAL;
+
asm volatile(CALL_NOSPEC
: __HYPERCALL_5PARAM
: [thunk_target] "a" (&hypercall_page[call])
next prev parent reply other threads:[~2019-04-15 19:14 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-15 18:59 [PATCH 5.0 000/117] 5.0.8-stable review Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 001/117] drm/i915/gvt: do not let pin count of shadow mm go negative Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 002/117] kbuild: pkg: use -f $(srctree)/Makefile to recurse to top Makefile Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 003/117] netfilter: nft_compat: use .release_ops and remove list of extension Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 004/117] netfilter: nf_tables: use-after-free in dynamic operations Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 005/117] netfilter: nf_tables: add missing ->release_ops() in error path of newrule() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 006/117] hv_netvsc: Fix unwanted wakeup after tx_disable Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 007/117] ibmvnic: Fix completion structure initialization Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 008/117] ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 009/117] ipv6: Fix dangling pointer when ipv6 fragment Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 010/117] ipv6: sit: reset ip header pointer in ipip6_rcv Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 011/117] kcm: switch order of device registration to fix a crash Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 012/117] net: ethtool: not call vzalloc for zero sized memory request Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 013/117] net-gro: Fix GRO flush when receiving a GSO packet Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 014/117] net/mlx5: Decrease default mr cache size Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 015/117] netns: provide pure entropy for net_hash_mix() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 016/117] net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 017/117] net/sched: act_sample: fix divide by zero in the traffic path Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 018/117] net/sched: fix ->get helper of the matchall cls Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 019/117] openvswitch: fix flow actions reallocation Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 020/117] qmi_wwan: add Olicard 600 Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 021/117] r8169: disable ASPM again Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 022/117] sctp: initialize _pad of sockaddr_in before copying to user memory Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 023/117] tcp: Ensure DCTCP reacts to losses Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 024/117] tcp: fix a potential NULL pointer dereference in tcp_sk_exit Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 025/117] vrf: check accept_source_route on the original netdevice Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 026/117] net/mlx5e: Fix error handling when refreshing TIRs Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 027/117] net/mlx5e: Add a lock on tir list Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 028/117] nfp: validate the return code from dev_queue_xmit() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 029/117] nfp: disable netpoll on representors Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 030/117] bnxt_en: Improve RX consumer index validity check Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 031/117] bnxt_en: Reset device on RX buffer errors Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 032/117] net: ip_gre: fix possible use-after-free in erspan_rcv Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 033/117] net: ip6_gre: fix possible use-after-free in ip6erspan_rcv Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 034/117] net: bridge: always clear mcast matching struct on reports and leaves Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 035/117] net: thunderx: fix NULL pointer dereference in nicvf_open/nicvf_stop Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 036/117] net: vrf: Fix ping failed when vrf mtu is set to 0 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 037/117] net: core: netif_receive_skb_list: unlist skb before passing to pt->func Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 038/117] r8169: disable default rx interrupt coalescing on RTL8168 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 039/117] net: mlx5: Add a missing check on idr_find, free buf Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 040/117] net/mlx5e: Update xoff formula Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 041/117] net/mlx5e: Update xon formula Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 042/117] kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 043/117] lib/string.c: implement a basic bcmp Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 044/117] Revert "clk: meson: clean-up clock registration" Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 045/117] tty: mark Siemens R3964 line discipline as BROKEN Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 046/117] tty: ldisc: add sysctl to prevent autoloading of ldiscs Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 047/117] hwmon: (w83773g) Select REGMAP_I2C to fix build error Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 048/117] hwmon: (occ) Fix power sensor indexing Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 049/117] SMB3: Allow persistent handle timeout to be configurable on mount Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 050/117] HID: logitech: Handle 0 scroll events for the m560 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 051/117] ACPICA: Clear status of GPEs before enabling them Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 052/117] ACPICA: Namespace: remove address node from global list after method termination Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 053/117] ALSA: seq: Fix OOB-reads from strlcpy Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 054/117] ALSA: hda/realtek: Enable headset MIC of Acer TravelMate B114-21 with ALC233 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 055/117] ALSA: hda/realtek - Add quirk for Tuxedo XC 1509 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 056/117] ALSA: xen-front: Do not use stream buffer size before it is set Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 057/117] ALSA: hda - Add two more machines to the power_save_blacklist Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 058/117] mm/huge_memory.c: fix modifying of page protection by insert_pfn_pmd() Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 059/117] arm64: dts: rockchip: fix rk3328 sdmmc0 write errors Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 060/117] mmc: alcor: dont write data before command has completed Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 061/117] mmc: sdhci-omap: Dont finish_mrq() on a command error during tuning Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 062/117] parisc: Detect QEMU earlier in boot process Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 063/117] parisc: regs_return_value() should return gpr28 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 064/117] parisc: also set iaoq_b in instruction_pointer_set() Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 065/117] alarmtimer: Return correct remaining time Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 066/117] drm/i915/gvt: do not deliver a workload if its creation fails Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 067/117] drm/sun4i: DW HDMI: Lower max. supported rate for H6 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 068/117] drm/udl: add a release method and delay modeset teardown Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 069/117] kvm: svm: fix potential get_num_contig_pages overflow Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 070/117] include/linux/bitrev.h: fix constant bitrev Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 071/117] mm: writeback: use exact memcg dirty counts Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 072/117] ASoC: intel: Fix crash at suspend/resume after failed codec registration Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 073/117] ASoC: fsl_esai: fix channel swap issue when stream starts Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 074/117] Btrfs: do not allow trimming when a fs is mounted with the nologreplay option Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 075/117] btrfs: prop: fix zstd compression parameter validation Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 076/117] btrfs: prop: fix vanished compression property after failed set Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 077/117] riscv: Fix syscall_get_arguments() and syscall_set_arguments() Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 078/117] block: Revert v5.0 blk_mq_request_issue_directly() changes Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 079/117] block: do not leak memory in bio_copy_user_iov() Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 080/117] block: fix the return errno for direct IO Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 081/117] genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 082/117] genirq: Initialize request_mutex if CONFIG_SPARSE_IRQ=n Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 083/117] virtio: Honour may_reduce_num in vring_create_virtqueue Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 084/117] drm/i915/dp: revert back to max link rate and lane count on eDP Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 085/117] ARM: OMAP1: ams-delta: Fix broken GPIO ID allocation Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 086/117] ARM: dts: rockchip: fix rk3288 cpu opp node reference Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 087/117] ARM: dts: am335x-evmsk: Correct the regulators for the audio codec Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 088/117] ARM: dts: am335x-evm: " Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 089/117] ARM: dts: rockchip: Fix SD card detection on rk3288-tinker Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 090/117] ARM: dts: at91: Fix typo in ISC_D0 on PC9 Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 091/117] arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 092/117] arm64: dts: rockchip: Fix vcc_host1_5v GPIO polarity on rk3328-rock64 Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 093/117] arm64: dts: rockchip: fix rk3328 rgmii high tx error rate Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 094/117] arm64: backtrace: Dont bother trying to unwind the userspace stack Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 095/117] arm64/ftrace: fix inadvertent BUG() in trampoline check Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 096/117] IB/mlx5: Reset access mask when looping inside page fault handler Greg Kroah-Hartman
2019-04-15 19:01 ` Greg Kroah-Hartman [this message]
2019-04-15 19:01 ` [PATCH 5.0 098/117] sched/fair: Do not re-read ->h_load_next during hierarchical load calculation Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 099/117] xtensa: fix return_address Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 100/117] csky: Fix syscall_get_arguments() and syscall_set_arguments() Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 101/117] x86/asm: Remove dead __GNUC__ conditionals Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 102/117] x86/asm: Use stricter assembly constraints in bitops Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 103/117] x86/perf/amd: Resolve race condition when disabling PMC Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 104/117] x86/perf/amd: Resolve NMI latency issues for active PMCs Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 105/117] x86/perf/amd: Remove need to check "running" bit in NMI handler Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 106/117] PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 107/117] PCI: pciehp: Ignore Link State Changes after powering off a slot Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 108/117] xprtrdma: Fix helper that drains the transport Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 109/117] powerpc/64s/radix: Fix radix segment exception handling Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 110/117] dm integrity: change memcmp to strncmp in dm_integrity_ctr Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 111/117] dm: revert 8f50e358153d ("dm: limit the max bio size as BIO_MAX_PAGES * PAGE_SIZE") Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 112/117] dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 113/117] dm: disable DISCARD if the underlying storage no longer supports it Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 114/117] dm integrity: fix deadlock with overlapping I/O Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 115/117] KVM: x86: nVMX: close leak of L0s x2APIC MSRs (CVE-2019-3887) Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 116/117] KVM: x86: nVMX: fix x2APIC VTPR read intercept Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 117/117] drm/virtio: do NOT reuse resource ids Greg Kroah-Hartman
2019-04-16 10:34 ` [PATCH 5.0 000/117] 5.0.8-stable review Jon Hunter
2019-04-17 11:03 ` Greg Kroah-Hartman
2019-04-16 11:27 ` Naresh Kamboju
2019-04-17 11:04 ` Greg Kroah-Hartman
2019-04-16 16:31 ` Guenter Roeck
2019-04-16 21:41 ` shuah
2019-04-17 6:15 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190415183749.748211194@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=boris.ostrovsky@oracle.com \
--cc=dan.carpenter@oracle.com \
--cc=jgross@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).