From 785bc20cf1e4710b4d4e191a9c9e4d50e6c42b4c Mon Sep 17 00:00:00 2001 From: "kaf24@scramble.cl.cam.ac.uk" Date: Thu, 2 Sep 2004 17:33:39 +0000 Subject: [PATCH] bitkeeper revision 1.1159.53.29 (41375973qY_UE105oFj3W3t-UwIp5g) Fix security hole in multicall hypercall. Now check whether the multicall list overlaps Xen's private address space. --- xen/arch/x86/x86_32/entry.S | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/x86_32/entry.S b/xen/arch/x86/x86_32/entry.S index e18089ae80..256d014863 100644 --- a/xen/arch/x86/x86_32/entry.S +++ b/xen/arch/x86/x86_32/entry.S @@ -148,6 +148,7 @@ ENTRY(continue_nonidle_task) * 2. We cannot recursively call HYPERVISOR_multicall, or a malicious * caller could cause our stack to blow up. */ +#define MULTICALL_ENTRY_ORDER 5 do_multicall: popl %eax cmpl $SYMBOL_NAME(multicall_return_from_call),%eax @@ -155,6 +156,13 @@ do_multicall: pushl %ebx movl 4(%esp),%ebx /* EBX == call_list */ movl 8(%esp),%ecx /* ECX == nr_calls */ + /* Ensure the entire multicall list is below HYPERVISOR_VIRT_START. */ + movl %ecx,%eax + shll $MULTICALL_ENTRY_ORDER,%eax + addl %ebx,%eax /* EAX == end of multicall list */ + jc bad_multicall_address + cmpl $__HYPERVISOR_VIRT_START,%eax + jnc bad_multicall_address multicall_loop: pushl %ecx multicall_fault1: @@ -176,12 +184,17 @@ multicall_fault7: movl %eax,24(%ebx) # args[5] == result addl $20,%esp popl %ecx - addl $(ARGS_PER_MULTICALL_ENTRY*4),%ebx + addl $(1<