ioemu: Fix PVFB backend to limit frame buffer size

The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly.  This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.

Signed-off-by: Markus Armbruster <armbru@redhat.com>

diff --git a/tools/ioemu/hw/xenfb.c b/tools/ioemu/hw/xenfb.c
index 32a94dced1a3c73c88758402b842a2820fd5e26b..d1f34c4562dd50f9cacaeb7f0b72fe72a7c21a95 100644 (file)
--- a/tools/ioemu/hw/xenfb.c
+++ b/tools/ioemu/hw/xenfb.c
@@ -502,6 +502,7 @@ static int xenfb_configure_fb(struct xenfb *xenfb, size_t fb_len_lim,
                fprintf(stderr,
                        "FB: frontend fb size %zu limited to %zu\n",
                        fb_len, fb_len_lim);
+               fb_len = fb_len_lim;
        }
        if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {
                fprintf(stderr,