From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Jackson Subject: [PATCH 23/23] libxc: Better range check in xc_dom_alloc_segment Date: Thu, 13 Jun 2013 19:15:02 +0100 Message-ID: <1371147302-20767-24-git-send-email-ian.jackson@eu.citrix.com> References: <1371147302-20767-1-git-send-email-ian.jackson@eu.citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1371147302-20767-1-git-send-email-ian.jackson@eu.citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xensource.com Cc: andrew.cooper3@citrix.com, mattjd@gmail.com, Ian Jackson , security@xen.org List-Id: xen-devel@lists.xenproject.org If seg->pfn is too large, the arithmetic in the range check might overflow, defeating the range check. This is part of the fix to a security issue, XSA-55. Signed-off-by: Ian Jackson Reviewed-by: Andrew Cooper --- tools/libxc/xc_dom_core.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/tools/libxc/xc_dom_core.c b/tools/libxc/xc_dom_core.c index 5f188c1..3df7171 100644 --- a/tools/libxc/xc_dom_core.c +++ b/tools/libxc/xc_dom_core.c @@ -511,7 +511,8 @@ int xc_dom_alloc_segment(struct xc_dom_image *dom, seg->vstart = start; seg->pfn = (seg->vstart - dom->parms.virt_base) / page_size; - if ( pages > dom->total_pages || /* double test avoids overflow probs */ + if ( pages > dom->total_pages || /* multiple test avoids overflow probs */ + seg->pfn > dom->total_pages || pages > dom->total_pages - seg->pfn) { xc_dom_panic(dom->xch, XC_OUT_OF_MEMORY, -- 1.7.2.5