From: Andrew Cooper Date: Fri, 1 Jul 2016 00:02:04 +0000 (+0100) Subject: x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~433 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=a9f3b3bad17d91e2067fc00d51b0302349570d08;p=xen.git x86/shadow: Avoid overflowing sh_ctxt->seg_reg[] hvm_get_seg_reg() does not perform a range check on its input segment, calls hvm_get_segment_register() and writes straight into sh_ctxt->seg_reg[]. x86_seg_none is outside the bounds of sh_ctxt->seg_reg[], and will hit a BUG() in {vmx,svm}_get_segment_register(). HVM guests running with shadow paging can end up performing a virtual to linear translation with x86_seg_none. This is used for addresses which are already linear. However, none of this is a legitimate pagetable update, so fail the emulation in such a case. This is XSA-187 / CVE-2016-7094. Reported-by: Andrew Cooper Signed-off-by: Andrew Cooper Reviewed-by: Tim Deegan --- diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index 04ce322268..7032869aad 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -140,9 +140,18 @@ static int hvm_translate_linear_addr( struct sh_emulate_ctxt *sh_ctxt, unsigned long *paddr) { - struct segment_register *reg = hvm_get_seg_reg(seg, sh_ctxt); + const struct segment_register *reg; int okay; + /* + * Can arrive here with non-user segments. However, no such cirucmstance + * is part of a legitimate pagetable update, so fail the emulation. + */ + if ( !is_x86_user_segment(seg) ) + return X86EMUL_UNHANDLEABLE; + + reg = hvm_get_seg_reg(seg, sh_ctxt); + okay = hvm_virtual_to_linear_addr( seg, reg, offset, bytes, access_type, sh_ctxt->ctxt.addr_size, paddr);