diff options
Diffstat (limited to 'main/xen/xsa29-4.2-unstable.patch')
| -rw-r--r-- | main/xen/xsa29-4.2-unstable.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/main/xen/xsa29-4.2-unstable.patch b/main/xen/xsa29-4.2-unstable.patch new file mode 100644 index 0000000000..ec3111fab9 --- /dev/null +++ b/main/xen/xsa29-4.2-unstable.patch @@ -0,0 +1,49 @@ +xen: add missing guest address range checks to XENMEM_exchange handlers + +Ever since its existence (3.0.3 iirc) the handler for this has been +using non address range checking guest memory accessors (i.e. +the ones prefixed with two underscores) without first range +checking the accessed space (via guest_handle_okay()), allowing +a guest to access and overwrite hypervisor memory. + +This is XSA-29 / CVE-2012-5513. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Acked-by: Ian Campbell <ian.campbell@citrix.com> +Acked-by: Ian Jackson <ian.jackson@eu.citrix.com> + +diff --git a/xen/common/compat/memory.c b/xen/common/compat/memory.c +index 996151c..a49f51b 100644 +--- a/xen/common/compat/memory.c ++++ b/xen/common/compat/memory.c +@@ -115,6 +115,12 @@ int compat_memory_op(unsigned int cmd, XEN_GUEST_HANDLE_PARAM(void) compat) + (cmp.xchg.out.nr_extents << cmp.xchg.out.extent_order)) ) + return -EINVAL; + ++ if ( !compat_handle_okay(cmp.xchg.in.extent_start, ++ cmp.xchg.in.nr_extents) || ++ !compat_handle_okay(cmp.xchg.out.extent_start, ++ cmp.xchg.out.nr_extents) ) ++ return -EFAULT; ++ + start_extent = cmp.xchg.nr_exchanged; + end_extent = (COMPAT_ARG_XLAT_SIZE - sizeof(*nat.xchg)) / + (((1U << ABS(order_delta)) + 1) * +diff --git a/xen/common/memory.c b/xen/common/memory.c +index 83e2666..bdb6ed8 100644 +--- a/xen/common/memory.c ++++ b/xen/common/memory.c +@@ -308,6 +308,13 @@ static long memory_exchange(XEN_GUEST_HANDLE_PARAM(xen_memory_exchange_t) arg) + goto fail_early; + } + ++ if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || ++ !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) ++ { ++ rc = -EFAULT; ++ goto fail_early; ++ } ++ + /* Only privileged guests can allocate multi-page contiguous extents. */ + if ( !multipage_allocation_permitted(current->domain, + exch.in.extent_order) || |