From a2388da52dd1e3fa9cba5fc87d70e02648371aa4 Mon Sep 17 00:00:00 2001 From: Keir Fraser Date: Thu, 15 May 2008 09:36:38 +0100 Subject: [PATCH] ioemu: Fix PVFB backend to limit frame buffer size The recent fix to validate the frontend's frame buffer description neglected to limit the frame buffer size correctly. This lets a malicious frontend make the backend attempt to map an arbitrary amount of guest memory, which could be useful for a denial of service attack against dom0. Signed-off-by: Markus Armbruster --- tools/ioemu/hw/xenfb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/ioemu/hw/xenfb.c b/tools/ioemu/hw/xenfb.c index 32a94dced1..d1f34c4562 100644 --- a/tools/ioemu/hw/xenfb.c +++ b/tools/ioemu/hw/xenfb.c @@ -502,6 +502,7 @@ static int xenfb_configure_fb(struct xenfb *xenfb, size_t fb_len_lim, fprintf(stderr, "FB: frontend fb size %zu limited to %zu\n", fb_len, fb_len_lim); + fb_len = fb_len_lim; } if (depth != 8 && depth != 16 && depth != 24 && depth != 32) { fprintf(stderr, -- 2.30.2