From: Keir Fraser <keir.fraser@citrix.com>
Date: Thu, 15 May 2008 08:36:38 +0000 (+0100)
Subject: ioemu: Fix PVFB backend to limit frame buffer size
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~14214^2~7
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22%22/%22http:/www.example.com/cgi/%22https:/%22%22?a=commitdiff_plain;h=a2388da52dd1e3fa9cba5fc87d70e02648371aa4;p=xen.git

ioemu: Fix PVFB backend to limit frame buffer size

The recent fix to validate the frontend's frame buffer description
neglected to limit the frame buffer size correctly.  This lets a
malicious frontend make the backend attempt to map an arbitrary amount
of guest memory, which could be useful for a denial of service attack
against dom0.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
---

diff --git a/tools/ioemu/hw/xenfb.c b/tools/ioemu/hw/xenfb.c
index 32a94dced1..d1f34c4562 100644
--- a/tools/ioemu/hw/xenfb.c
+++ b/tools/ioemu/hw/xenfb.c
@@ -502,6 +502,7 @@ static int xenfb_configure_fb(struct xenfb *xenfb, size_t fb_len_lim,
 		fprintf(stderr,
 			"FB: frontend fb size %zu limited to %zu\n",
 			fb_len, fb_len_lim);
+		fb_len = fb_len_lim;
 	}
 	if (depth != 8 && depth != 16 && depth != 24 && depth != 32) {
 		fprintf(stderr,