File CVE-2016-9381-xsa197-qemut.patch of Package xen.5853

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-9381-xsa197-qemut.patch of Package xen.5853

xen: fix ioreq handling

Avoid double fetches and bounds check size to avoid overflowing
internal variables.

This is XSA-197.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Reviewed-by: Ian Jackson <ian.jackson@eu.citrix.com>

Index: xen-4.5.5-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/helper2.c
===================================================================
--- xen-4.5.5-testing.orig/tools/qemu-xen-traditional-dir-remote/i386-dm/helper2.c
+++ xen-4.5.5-testing/tools/qemu-xen-traditional-dir-remote/i386-dm/helper2.c
@@ -374,6 +374,11 @@ static void cpu_ioreq_pio(CPUState *env,
 {
     uint32_t i;
 
+    if (req->size > sizeof(unsigned long)) {
+        fprintf(stderr, "PIO: bad size (%u)\n", req->size);
+        exit(-1);
+    }
+
     if (req->dir == IOREQ_READ) {
         if (!req->data_is_ptr) {
             req->data = do_inp(env, req->addr, req->size);
@@ -403,6 +408,11 @@ static void cpu_ioreq_move(CPUState *env
 {
     uint32_t i;
 
+    if (req->size > sizeof(req->data)) {
+        fprintf(stderr, "MMIO: bad size (%u)\n", req->size);
+        exit(-1);
+    }
+
     if (!req->data_is_ptr) {
         if (req->dir == IOREQ_READ) {
             for (i = 0; i < req->count; i++) {
@@ -506,11 +516,13 @@ static int __handle_buffered_iopage(CPUS
         req.df = 1;
         req.type = buf_req->type;
         req.data_is_ptr = 0;
+        xen_rmb();
         qw = (req.size == 8);
         if (qw) {
             buf_req = &buffered_io_page->buf_ioreq[
                 (buffered_io_page->read_pointer+1) % IOREQ_BUFFER_SLOT_NUM];
             req.data |= ((uint64_t)buf_req->data) << 32;
+            xen_rmb();
         }
 
         __handle_ioreq(env, &req);
@@ -543,7 +555,11 @@ static void cpu_handle_ioreq(void *opaqu
 
     __handle_buffered_iopage(env);
     if (req) {
-        __handle_ioreq(env, req);
+        ioreq_t copy = *req;
+
+        xen_rmb();
+        __handle_ioreq(env, &copy);
+        req->data = copy.data;
 
         if (req->state != STATE_IOREQ_INPROCESS) {
             fprintf(logfile, "Badness in I/O request ... not in service?!: "

Places

File CVE-2016-9381-xsa197-qemut.patch of Package xen.5853

Places