From f14fc87af896228782ab5eaf174ce7eb27c0c4ca Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Tue, 11 Sep 2012 14:06:43 +0200 Subject: [PATCH] tmem: consistently make pool_id a uint32_t Treating it as an int could allow a malicious guest to provide a negative pool_Id, by passing the MAX_POOLS_PER_DOMAIN limit check and allowing access to the negative offsets of the pool array. This is part of XSA-15 / CVE-2012-3497. Signed-off-by: Ian Campbell Committed-by: Jan Beulich --- xen/common/tmem.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/tmem.c b/xen/common/tmem.c index aedac551d3..5f27ff019f 100644 --- a/xen/common/tmem.c +++ b/xen/common/tmem.c @@ -2417,7 +2417,7 @@ static NOINLINE int tmemc_save_subop(int cli_id, uint32_t pool_id, return rc; } -static NOINLINE int tmemc_save_get_next_page(int cli_id, int pool_id, +static NOINLINE int tmemc_save_get_next_page(int cli_id, uint32_t pool_id, tmem_cli_va_t buf, uint32_t bufsize) { client_t *client = tmh_client_from_cli_id(cli_id); @@ -2509,7 +2509,7 @@ out: return ret; } -static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp, +static int tmemc_restore_put_page(int cli_id, uint32_t pool_id, OID *oidp, uint32_t index, tmem_cli_va_t buf, uint32_t bufsize) { client_t *client = tmh_client_from_cli_id(cli_id); @@ -2521,7 +2521,7 @@ static int tmemc_restore_put_page(int cli_id, int pool_id, OID *oidp, return do_tmem_put(pool,oidp,index,0,0,0,bufsize,buf.p); } -static int tmemc_restore_flush_page(int cli_id, int pool_id, OID *oidp, +static int tmemc_restore_flush_page(int cli_id, uint32_t pool_id, OID *oidp, uint32_t index) { client_t *client = tmh_client_from_cli_id(cli_id); -- 2.30.2