diff options
Diffstat (limited to 'main/xen/xsa29-4.2-unstable.patch')
-rw-r--r-- | main/xen/xsa29-4.2-unstable.patch | 49 |
1 files changed, 0 insertions, 49 deletions
diff --git a/main/xen/xsa29-4.2-unstable.patch b/main/xen/xsa29-4.2-unstable.patch deleted file mode 100644 index ec3111fab9..0000000000 --- a/main/xen/xsa29-4.2-unstable.patch +++ /dev/null @@ -1,49 +0,0 @@ -xen: add missing guest address range checks to XENMEM_exchange handlers - -Ever since its existence (3.0.3 iirc) the handler for this has been -using non address range checking guest memory accessors (i.e. -the ones prefixed with two underscores) without first range -checking the accessed space (via guest_handle_okay()), allowing -a guest to access and overwrite hypervisor memory. - -This is XSA-29 / CVE-2012-5513. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> -Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> - -diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c -index 996151c..a49f51b 100644 ---- a/xen/common/compat/memory.c -+++ b/xen/common/compat/memory.c -@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat) - (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) - return -EINVAL; - -+ if ( !compat_handle_okay(cmp.xchg.in.extent_start, -+ cmp.xchg.in.nr_extents) || -+ !compat_handle_okay(cmp.xchg.out.extent_start, -+ cmp.xchg.out.nr_extents) ) -+ return -EFAULT; -+ - start_extent = cmp.xchg.nr_exchanged; - end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / - (((1U << ABS(order_delta)) + 1) * -diff --git a/xen/common/memory.c b/xen/common/memory.c -index 83e2666..bdb6ed8 100644 ---- a/xen/common/memory.c -+++ b/xen/common/memory.c -@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg) - goto fail_early; - } - -+ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || -+ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) -+ { -+ rc = -EFAULT; -+ goto fail_early; -+ } -+ - /* Only privileged guests can allocate multi-page contiguous extents. */ - if ( !multipage_allocation_permitted(current->domain, - exch.in.extent_order) || |