From mboxrd@z Thu Jan 1 00:00:00 1970 From: George Dunlap Subject: Re: [PATCH 21/22] libxc: range checks in xc_dom_p2m_host and _guest Date: Wed, 12 Jun 2013 17:08:56 +0100 Message-ID: <51B89D18.4020405@eu.citrix.com> References: <1370974865-19554-1-git-send-email-ian.jackson@eu.citrix.com> <1370974865-19554-22-git-send-email-ian.jackson@eu.citrix.com> <20920.40058.635699.510629@mariner.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20920.40058.635699.510629@mariner.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Ian Jackson Cc: Andrew Cooper , "xen-devel@lists.xensource.com" , Tim Deegan , mattjd@gmail.com, security@xen.org List-Id: xen-devel@lists.xenproject.org On 12/06/13 17:06, Ian Jackson wrote: > George Dunlap writes ("Re: [Xen-devel] [PATCH 21/22] libxc: range checks in xc_dom_p2m_host and _guest"): >> On Tue, Jun 11, 2013 at 7:21 PM, Ian Jackson wrote: >>> These functions take guest pfns and look them up in the p2m. They did >>> no range checking. >>> >>> However, some callers, notably xc_dom_boot.c:setup_hypercall_page want >>> to pass untrusted guest-supplied value(s). It is most convenient to >>> detect this here and return INVALID_MFN. >>> >>> This is part of the fix to a security issue, XSA-55. >>> >>> Signed-off-by: Ian Jackson >>> Cc: Tim Deegan >> I've taken a look at where things get returned here, and it seems like >> they should all be OK with INVALID_MFN. > Good. Does that mean that we should promote the check to be done in > the shadow_enabled case too ? Oh sorry, missed that question. I think it's safe, but you should get an ack from Tim to be sure. -George