xen/gnttab: Validate input to GNTTABOP_swap_grant_ref

xen-unstable c/s 24548:d115844ebfbb introduces a new GNTTABOP to swap
grant refs.  However, it fails to validate the two refs passed from
the guest.

The result is that passing out-of-range refs can cause Xen to read
past the end of the grant_table->active[] array, and deference
whatever it finds.  Typically, this results in Xen trying to deference
a low pointer and fail with a page-fault.

As this hypercall can be issued by an unprivileged guest, this is a
Denial of Service against Xen.  This is XSA-18 / CVE-2012-3516.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Acked-by: Paul Durrant <paul.durrant@citrix.com>

diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index 20fee66ef81a12eff4f8243b79a3ea66e64600d1..a9864d7db78bc3dac8adb5e3971b61b5b70458ec 100644 (file)
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -2339,6 +2339,12 @@ __gnttab_swap_grant_ref(grant_ref_t ref_a, grant_ref_t ref_b)
 
     spin_lock(&gt->lock);
 
+    /* Bounds check on the grant refs */
+    if ( unlikely(ref_a >= nr_grant_entries(d->grant_table)))
+        PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a);
+    if ( unlikely(ref_b >= nr_grant_entries(d->grant_table)))
+        PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-b (%d).\n", ref_b);
+
     act = &active_entry(gt, ref_a);
     if ( act->pin )
         PIN_FAIL(out, GNTST_eagain, "ref a %ld busy\n", (long)ref_a);