From 4b9e508290c67b1f13bc0f6e059d23ba738995ce Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Wed, 5 Sep 2012 12:30:26 +0100 Subject: [PATCH] xen/gnttab: Validate input to GNTTABOP_swap_grant_ref xen-unstable c/s 24548:d115844ebfbb introduces a new GNTTABOP to swap grant refs. However, it fails to validate the two refs passed from the guest. The result is that passing out-of-range refs can cause Xen to read past the end of the grant_table->active[] array, and deference whatever it finds. Typically, this results in Xen trying to deference a low pointer and fail with a page-fault. As this hypercall can be issued by an unprivileged guest, this is a Denial of Service against Xen. This is XSA-18 / CVE-2012-3516. Signed-off-by: Andrew Cooper Acked-by: Paul Durrant --- xen/common/grant_table.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 20fee66ef8..a9864d7db7 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -2339,6 +2339,12 @@ __gnttab_swap_grant_ref(grant_ref_t ref_a, grant_ref_t ref_b) spin_lock(>->lock); + /* Bounds check on the grant refs */ + if ( unlikely(ref_a >= nr_grant_entries(d->grant_table))) + PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-a (%d).\n", ref_a); + if ( unlikely(ref_b >= nr_grant_entries(d->grant_table))) + PIN_FAIL(out, GNTST_bad_gntref, "Bad ref-b (%d).\n", ref_b); + act = &active_entry(gt, ref_a); if ( act->pin ) PIN_FAIL(out, GNTST_eagain, "ref a %ld busy\n", (long)ref_a); -- 2.30.2