From: Ian Jackson <ian.jackson@eu.citrix.com>
To: xen-devel@lists.xensource.com
Cc: andrew.cooper3@citrix.com, mattjd@gmail.com,
Ian Jackson <ian.jackson@eu.citrix.com>,
security@xen.org
Subject: [PATCH 21/21] libxc: range checks in xc_dom_p2m_host and _guest
Date: Thu, 6 Jun 2013 19:52:06 +0100 [thread overview]
Message-ID: <1370544726-30459-22-git-send-email-ian.jackson@eu.citrix.com> (raw)
In-Reply-To: <1370544726-30459-1-git-send-email-ian.jackson@eu.citrix.com>
These functions take guest pfns and look them up in the p2m. They did
no range checking.
However, some callers, notably xc_dom_boot.c:setup_hypercall_page want
to pass untrusted guest-supplied value(s). It is most convenient to
detect this here and return INVALID_MFN.
This is part of the fix to a security issue, XSA-55.
Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
---
tools/libxc/xc_dom.h | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/tools/libxc/xc_dom.h b/tools/libxc/xc_dom.h
index 567913f..239ef33 100644
--- a/tools/libxc/xc_dom.h
+++ b/tools/libxc/xc_dom.h
@@ -341,6 +341,8 @@ static inline xen_pfn_t xc_dom_p2m_host(struct xc_dom_image *dom, xen_pfn_t pfn)
{
if (dom->shadow_enabled)
return pfn;
+ if (pfn >= dom->rambase_pfn + dom->total_pages)
+ return INVALID_MFN;
return dom->p2m_host[pfn - dom->rambase_pfn];
}
@@ -349,6 +351,8 @@ static inline xen_pfn_t xc_dom_p2m_guest(struct xc_dom_image *dom,
{
if (xc_dom_feature_translated(dom))
return pfn;
+ if (pfn >= dom->rambase_pfn + dom->total_pages)
+ return INVALID_MFN;
return dom->p2m_host[pfn - dom->rambase_pfn];
}
--
1.7.2.5
next prev parent reply other threads:[~2013-06-06 18:52 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-06 18:51 [PATCH v5 00/21] XSA55 libelf fixes for unstable Ian Jackson
2013-06-06 18:51 ` [PATCH 01/21] libelf: abolish libelf-relocate.c Ian Jackson
2013-06-06 18:51 ` [PATCH 02/21] libxc: introduce xc_dom_seg_to_ptr_pages Ian Jackson
2013-06-06 18:51 ` [PATCH 03/21] libxc: Fix range checking in xc_dom_pfn_to_ptr etc Ian Jackson
2013-06-06 18:51 ` [PATCH 04/21] libelf: add `struct elf_binary*' parameter to elf_load_image Ian Jackson
2013-06-06 18:51 ` [PATCH 05/21] libelf: abolish elf_sval and elf_access_signed Ian Jackson
2013-06-06 18:51 ` [PATCH 06/21] libelf: move include of <asm/guest_access.h> to top of file Ian Jackson
2013-06-06 18:51 ` [PATCH 07/21] libelf/xc_dom_load_elf_symtab: Do not use "syms" uninitialised Ian Jackson
2013-06-06 18:51 ` [PATCH 08/21] libelf: introduce macros for memory access and pointer handling Ian Jackson
2013-06-06 18:51 ` [PATCH 09/21] tools/xcutils/readnotes: adjust print_l1_mfn_valid_note Ian Jackson
2013-06-06 18:51 ` [PATCH 10/21] libelf: check nul-terminated strings properly Ian Jackson
2013-06-06 18:51 ` [PATCH 11/21] libelf: check all pointer accesses Ian Jackson
2013-06-06 18:51 ` [PATCH 12/21] libelf: Check pointer references in elf_is_elfbinary Ian Jackson
2013-06-06 18:51 ` [PATCH 13/21] libelf: Make all callers call elf_check_broken Ian Jackson
2013-06-06 18:51 ` [PATCH 14/21] libelf: use C99 bool for booleans Ian Jackson
2013-06-06 18:52 ` [PATCH 15/21] libelf: use only unsigned integers Ian Jackson
2013-06-06 18:52 ` [PATCH 16/21] libelf: check loops for running away Ian Jackson
2013-06-06 18:52 ` [PATCH 17/21] libelf: abolish obsolete macros Ian Jackson
2013-06-06 18:52 ` [PATCH 18/21] libxc: Add range checking to xc_dom_binloader Ian Jackson
2013-06-07 10:59 ` Matthew Daley
2013-06-07 14:53 ` Ian Jackson
2013-06-06 18:52 ` [PATCH 19/21] libxc: check failure of xc_dom_*_to_ptr, xc_map_foreign_range Ian Jackson
2013-06-06 18:52 ` [PATCH 20/21] libxc: check return values from malloc Ian Jackson
2013-06-06 19:47 ` Andrew Cooper
2013-06-07 10:45 ` Ian Jackson
2013-06-06 18:52 ` Ian Jackson [this message]
2013-06-07 8:59 ` [PATCH 21/21] libxc: range checks in xc_dom_p2m_host and _guest Andrew Cooper
2013-06-07 14:38 ` Ian Jackson
2013-06-06 19:26 ` [PATCH v5 00/21] XSA55 libelf fixes for unstable Ian Jackson
2013-06-07 8:14 ` Matthew Daley
2013-06-07 14:36 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1370544726-30459-22-git-send-email-ian.jackson@eu.citrix.com \
--to=ian.jackson@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=mattjd@gmail.com \
--cc=security@xen.org \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).